fix: request a password to change sensitive user data (#5629)

2026-01-23 02:35:10 +00:00 · 2026-01-03 02:44:03 -05:00 · 2026-01-03 02:44:03 -05:00 · b8151a038a
commit b8151a038a
parent 943e5340d0
9 changed files with 103 additions and 26 deletions
--- a/http/http.go
+++ b/http/http.go
@ -11,8 +11,9 @@ import (
 )

 type modifyRequest struct {
-	What  string   `json:"what"`  // Answer to: what data type?
-	Which []string `json:"which"` // Answer to: which fields?
+	What            string   `json:"what"`             // Answer to: what data type?
+	Which           []string `json:"which"`            // Answer to: which fields?
+	CurrentPassword string   `json:"current_password"` // Answer to: user logged password
 }

 func NewHandler(
--- a/http/settings.go
+++ b/http/settings.go
@ -15,6 +15,7 @@ type settingsData struct {
 	MinimumPasswordLength uint                  `json:"minimumPasswordLength"`
 	UserHomeBasePath      string                `json:"userHomeBasePath"`
 	Defaults              settings.UserDefaults `json:"defaults"`
+	AuthMethod            settings.AuthMethod   `json:"authMethod"`
 	Rules                 []rules.Rule          `json:"rules"`
 	Branding              settings.Branding     `json:"branding"`
 	Tus                   settings.Tus          `json:"tus"`
@ -30,6 +31,7 @@ var settingsGetHandler = withAdmin(func(w http.ResponseWriter, r *http.Request,
 		MinimumPasswordLength: d.settings.MinimumPasswordLength,
 		UserHomeBasePath:      d.settings.UserHomeBasePath,
 		Defaults:              d.settings.Defaults,
+		AuthMethod:            d.settings.AuthMethod,
 		Rules:                 d.settings.Rules,
 		Branding:              d.settings.Branding,
 		Tus:                   d.settings.Tus,
--- a/http/users.go
+++ b/http/users.go
@ -12,6 +12,7 @@ import (
 	"golang.org/x/text/cases"
 	"golang.org/x/text/language"

+	"github.com/filebrowser/filebrowser/v2/auth"
 	fberrors "github.com/filebrowser/filebrowser/v2/errors"
 	"github.com/filebrowser/filebrowser/v2/users"
 )
@ -117,6 +118,12 @@ var userPostHandler = withAdmin(func(w http.ResponseWriter, r *http.Request, d *
 		return http.StatusBadRequest, err
 	}

+	if d.settings.AuthMethod == auth.MethodJSONAuth {
+		if !users.CheckPwd(req.CurrentPassword, d.user.Password) {
+			return http.StatusBadRequest, fberrors.ErrCurrentPasswordIncorrect
+		}
+	}
+
 	if len(req.Which) != 0 {
 		return http.StatusBadRequest, nil
 	}
@ -153,6 +160,27 @@ var userPutHandler = withSelfOrAdmin(func(w http.ResponseWriter, r *http.Request
 		return http.StatusBadRequest, err
 	}

+	if d.settings.AuthMethod == auth.MethodJSONAuth {
+		var sensibleFields = map[string]struct{}{
+			"all":          {},
+			"username":     {},
+			"password":     {},
+			"scope":        {},
+			"lockPassword": {},
+			"commands":     {},
+			"perm":         {},
+		}
+
+		for _, field := range req.Which {
+			if _, ok := sensibleFields[field]; ok {
+				if !users.CheckPwd(req.CurrentPassword, d.user.Password) {
+					return http.StatusBadRequest, fberrors.ErrCurrentPasswordIncorrect
+				}
+				break
+			}
+		}
+	}
+
 	if req.Data.ID != d.raw.(uint) {
 		return http.StatusBadRequest, nil
 	}