diff --git a/http/auth.go b/http/auth.go index d975beae..59f15a36 100644 --- a/http/auth.go +++ b/http/auth.go @@ -171,6 +171,12 @@ var signupHandler = func(_ http.ResponseWriter, r *http.Request, d *data) (int, // if that is the default permission. user.Perm.Admin = false + // Self-registered users should not inherit execution capabilities from + // default settings, regardless of what the administrator has configured + // as the default. Execution rights must be explicitly granted by an admin. + user.Perm.Execute = false + user.Commands = []string{} + pwd, err := users.ValidateAndHashPwd(info.Password, d.settings.MinimumPasswordLength) if err != nil { return http.StatusBadRequest, err