Mirrors/filebrowser
1
0
Fork 0
mirror of https://github.com/filebrowser/filebrowser.git synced 2026-01-23 02:35:10 +00:00
Code Issues Projects Releases Wiki Activity

fix: request current password when deleting users (#5667)

Browse source
This commit is contained in:
Ariel Leyva 2026-01-18 02:36:25 -05:00 committed by GitHub
parent 59ca0c340a
commit cfa6c5864e
No known key found for this signature in database
GPG key ID: B5690EEEBB952194
3 changed files with 29 additions and 8 deletions
Download patch file Download diff file Expand all files Collapse all files

20
http/users.go
View file

@ -103,7 +103,25 @@ var userGetHandler = withSelfOrAdmin(func(w http.ResponseWriter, r *http.Request
return renderJSON(w, r, u)
})
var userDeleteHandler = withSelfOrAdmin(func(_ http.ResponseWriter, _ *http.Request, d *data) (int, error) {
var userDeleteHandler = withSelfOrAdmin(func(_ http.ResponseWriter, r *http.Request, d *data) (int, error) {
if r.Body == nil {
return http.StatusBadRequest, fberrors.ErrEmptyRequest
}
var body struct {
CurrentPassword string `json:"current_password"`
}
if err := json.NewDecoder(r.Body).Decode(&body); err != nil {
return http.StatusBadRequest, err
}
if d.settings.AuthMethod == auth.MethodJSONAuth {
if !users.CheckPwd(body.CurrentPassword, d.user.Password) {
return http.StatusBadRequest, fberrors.ErrCurrentPasswordIncorrect
}
}
err := d.store.Users.Delete(d.raw.(uint))
if err != nil {
return errToStatus(err), err