Refuse to update manually created users

2025-07-27 11:02:34 +02:00
parent 27b3a89247
commit f3c67f1d71
5 changed files with 50 additions and 13 deletions
--- a/user/manager.go
+++ b/user/manager.go
@@ -1697,13 +1697,17 @@ func (a *Manager) maybeProvisionUsersAndAccess() error {
 				if err := a.addUserTx(tx, user.Name, user.Hash, user.Role, true, true); err != nil && !errors.Is(err, ErrUserExists) {
 					return fmt.Errorf("failed to add provisioned user %s: %v", user.Name, err)
 				}
-			} else if existingUser.Provisioned && (existingUser.Hash != user.Hash || existingUser.Role != user.Role) {
-				log.Tag(tag).Info("Updating provisioned user %s", user.Name)
-				if err := a.changePasswordTx(tx, user.Name, user.Hash, true); err != nil {
-					return fmt.Errorf("failed to change password for provisioned user %s: %v", user.Name, err)
-				}
-				if err := a.changeRoleTx(tx, user.Name, user.Role); err != nil {
-					return fmt.Errorf("failed to change role for provisioned user %s: %v", user.Name, err)
+			} else {
+				if !existingUser.Provisioned {
+					log.Tag(tag).Warn("Refusing to update manually user %s", user.Name)
+				} else if existingUser.Hash != user.Hash || existingUser.Role != user.Role {
+					log.Tag(tag).Info("Updating provisioned user %s", user.Name)
+					if err := a.changePasswordTx(tx, user.Name, user.Hash, true); err != nil {
+						return fmt.Errorf("failed to change password for provisioned user %s: %v", user.Name, err)
+					}
+					if err := a.changeRoleTx(tx, user.Name, user.Role); err != nil {
+						return fmt.Errorf("failed to change role for provisioned user %s: %v", user.Name, err)
+					}
 				}
 			}
 		}
--- a/user/manager_test.go
+++ b/user/manager_test.go
@@ -1193,6 +1193,39 @@ func TestManager_WithProvisionedUsers(t *testing.T) {
 	require.Equal(t, "*", users[1].Name)
 }

+func TestManager_DoNotUpdateNonProvisionedUsers(t *testing.T) {
+	f := filepath.Join(t.TempDir(), "user.db")
+	conf := &Config{
+		Filename:         f,
+		DefaultAccess:    PermissionReadWrite,
+		ProvisionEnabled: true,
+		ProvisionUsers:   []*User{},
+		ProvisionAccess:  map[string][]*Grant{},
+	}
+	a, err := NewManager(conf)
+	require.Nil(t, err)
+
+	// Manually add user
+	require.Nil(t, a.AddUser("philuser", "manual", RoleUser, false))
+
+	// Re-open the DB (second app start)
+	require.Nil(t, a.db.Close())
+	conf.ProvisionUsers = []*User{
+		{Name: "philuser", Hash: "$2a$10$AAAU21sX1uhZamTLJXHuxgVC0Z/GKISibrKCLohPgtG7yIxSk4C", Role: RoleAdmin},
+	}
+	conf.ProvisionAccess = map[string][]*Grant{}
+	a, err = NewManager(conf)
+	require.Nil(t, err)
+
+	// Check that the provisioned users are there
+	users, err := a.Users()
+	require.Nil(t, err)
+	require.Len(t, users, 2)
+	require.Equal(t, "philuser", users[0].Name)
+	require.Equal(t, RoleUser, users[0].Role) // Should not have been updated
+	require.NotEqual(t, "$2a$10$AAAU21sX1uhZamTLJXHuxgVC0Z/GKISibrKCLohPgtG7yIxSk4C", users[0].Hash)
+}
+
 func TestToFromSQLWildcard(t *testing.T) {
 	require.Equal(t, "up%", toSQLWildcard("up*"))
 	require.Equal(t, "up\\_%", toSQLWildcard("up_*"))