prevent changing a provisioned user's password

2025-08-03 16:07:24 -06:00
parent 15a7f86344
commit 81463614c9
8 changed files with 54 additions and 12 deletions
--- a/user/manager.go
+++ b/user/manager.go
@@ -1389,6 +1389,14 @@ func (a *Manager) ReservationOwner(topic string) (string, error) {

 // ChangePassword changes a user's password
 func (a *Manager) ChangePassword(username, password string, hashed bool) error {
+	user, err := a.User(username)
+	if err != nil {
+		return err
+	}
+	if user.Provisioned {
+		return ErrProvisionedUserPasswordChange
+	}
+
 	return execTx(a.db, func(tx *sql.Tx) error {
 		return a.changePasswordTx(tx, username, password, hashed)
 	})
--- a/user/manager_test.go
+++ b/user/manager_test.go
@@ -1209,6 +1209,9 @@ func TestManager_WithProvisionedUsers(t *testing.T) {
 	require.Equal(t, "tk_u48wqendnkx9er21pqqcadlytbutx", tokens[1].Value)
 	require.Equal(t, "Another token", tokens[1].Label)

+	// Try changing provisioned user's password
+	require.Error(t, a.ChangePassword("philuser", "new-pass", false))
+
 	// Re-open the DB again (third app start)
 	require.Nil(t, a.db.Close())
 	conf.Users = []*User{}
--- a/user/types.go
+++ b/user/types.go
@@ -244,15 +244,16 @@ const (

 // Error constants used by the package
 var (
-	ErrUnauthenticated     = errors.New("unauthenticated")
-	ErrUnauthorized        = errors.New("unauthorized")
-	ErrInvalidArgument     = errors.New("invalid argument")
-	ErrUserNotFound        = errors.New("user not found")
-	ErrUserExists          = errors.New("user already exists")
-	ErrPasswordHashInvalid = errors.New("password hash but be a bcrypt hash, use 'ntfy user hash' to generate")
-	ErrTierNotFound        = errors.New("tier not found")
-	ErrTokenNotFound       = errors.New("token not found")
-	ErrPhoneNumberNotFound = errors.New("phone number not found")
-	ErrTooManyReservations = errors.New("new tier has lower reservation limit")
-	ErrPhoneNumberExists   = errors.New("phone number already exists")
+	ErrUnauthenticated               = errors.New("unauthenticated")
+	ErrUnauthorized                  = errors.New("unauthorized")
+	ErrInvalidArgument               = errors.New("invalid argument")
+	ErrUserNotFound                  = errors.New("user not found")
+	ErrUserExists                    = errors.New("user already exists")
+	ErrPasswordHashInvalid           = errors.New("password hash but be a bcrypt hash, use 'ntfy user hash' to generate")
+	ErrTierNotFound                  = errors.New("tier not found")
+	ErrTokenNotFound                 = errors.New("token not found")
+	ErrPhoneNumberNotFound           = errors.New("phone number not found")
+	ErrTooManyReservations           = errors.New("new tier has lower reservation limit")
+	ErrPhoneNumberExists             = errors.New("phone number already exists")
+	ErrProvisionedUserPasswordChange = errors.New("cannot change password of provisioned user")
 )