fix: request a password to change sensitive user data (#5629)

2026-01-23 02:35:10 +00:00 · 2026-01-03 02:44:03 -05:00 · 2026-01-03 02:44:03 -05:00 · b8151a038a
commit b8151a038a
parent 943e5340d0
9 changed files with 103 additions and 26 deletions
--- a/http/users.go
+++ b/http/users.go
@ -12,6 +12,7 @@ import (
 	"golang.org/x/text/cases"
 	"golang.org/x/text/language"

+	"github.com/filebrowser/filebrowser/v2/auth"
 	fberrors "github.com/filebrowser/filebrowser/v2/errors"
 	"github.com/filebrowser/filebrowser/v2/users"
 )
@ -117,6 +118,12 @@ var userPostHandler = withAdmin(func(w http.ResponseWriter, r *http.Request, d *
 		return http.StatusBadRequest, err
 	}

+	if d.settings.AuthMethod == auth.MethodJSONAuth {
+		if !users.CheckPwd(req.CurrentPassword, d.user.Password) {
+			return http.StatusBadRequest, fberrors.ErrCurrentPasswordIncorrect
+		}
+	}
+
 	if len(req.Which) != 0 {
 		return http.StatusBadRequest, nil
 	}
@ -153,6 +160,27 @@ var userPutHandler = withSelfOrAdmin(func(w http.ResponseWriter, r *http.Request
 		return http.StatusBadRequest, err
 	}

+	if d.settings.AuthMethod == auth.MethodJSONAuth {
+		var sensibleFields = map[string]struct{}{
+			"all":          {},
+			"username":     {},
+			"password":     {},
+			"scope":        {},
+			"lockPassword": {},
+			"commands":     {},
+			"perm":         {},
+		}
+
+		for _, field := range req.Which {
+			if _, ok := sensibleFields[field]; ok {
+				if !users.CheckPwd(req.CurrentPassword, d.user.Password) {
+					return http.StatusBadRequest, fberrors.ErrCurrentPasswordIncorrect
+				}
+				break
+			}
+		}
+	}
+
 	if req.Data.ID != d.raw.(uint) {
 		return http.StatusBadRequest, nil
 	}