Mirrors/filebrowser
1
0
Fork 0
mirror of https://github.com/filebrowser/filebrowser.git synced 2026-01-23 02:35:10 +00:00
Code Issues Projects Releases Wiki Activity

fix: request current password when deleting users (#5667)

Browse source
This commit is contained in:
Ariel Leyva 2026-01-18 02:36:25 -05:00 committed by GitHub
parent 59ca0c340a
commit cfa6c5864e
No known key found for this signature in database
GPG key ID: B5690EEEBB952194
3 changed files with 29 additions and 8 deletions
Download patch file Download diff file Expand all files Collapse all files

8
frontend/src/api/users.ts
View file

@ -42,8 +42,14 @@ export async function update(
}); });
} }
export async function remove(id: number) { export async function remove(
id: number,
currentPassword: string | null = null
) {
await fetchURL(`/api/users/${id}`, { await fetchURL(`/api/users/${id}`, {
method: "DELETE", method: "DELETE",
body: JSON.stringify({
...(currentPassword != null ? { current_password: currentPassword } : {}),
}),
}); });
} }

9
frontend/src/views/settings/User.vue
View file

@ -71,6 +71,7 @@ import { computed, inject, onMounted, ref, watch } from "vue";
import { useRoute, useRouter } from "vue-router"; import { useRoute, useRouter } from "vue-router";
import { useI18n } from "vue-i18n"; import { useI18n } from "vue-i18n";
import { StatusError } from "@/api/utils"; import { StatusError } from "@/api/utils";
import { authMethod } from "@/utils/constants";
const error = ref<StatusError>(); const error = ref<StatusError>();
const originalUser = ref<IUser>(); const originalUser = ref<IUser>();
@ -105,11 +106,7 @@ const fetchData = async () => {
try { try {
if (isNew.value) { if (isNew.value) {
const { const { defaults, createUserDir: _createUserDir } = await settings.get();
authMethod,
defaults,
createUserDir: _createUserDir,
} = await settings.get();
isCurrentPasswordRequired.value = authMethod == "json"; isCurrentPasswordRequired.value = authMethod == "json";
createUserDir.value = _createUserDir; createUserDir.value = _createUserDir;
user.value = { user.value = {
@ -146,7 +143,7 @@ const deleteUser = async (e: Event) => {
return false; return false;
} }
try { try {
await api.remove(user.value.id); await api.remove(user.value.id, currentPassword.value);
router.push({ path: "/settings/users" }); router.push({ path: "/settings/users" });
$showSuccess(t("settings.userDeleted")); $showSuccess(t("settings.userDeleted"));
} catch (err) { } catch (err) {

20
http/users.go
View file

@ -103,7 +103,25 @@ var userGetHandler = withSelfOrAdmin(func(w http.ResponseWriter, r *http.Request
return renderJSON(w, r, u) return renderJSON(w, r, u)
}) })
var userDeleteHandler = withSelfOrAdmin(func(_ http.ResponseWriter, _ *http.Request, d *data) (int, error) { var userDeleteHandler = withSelfOrAdmin(func(_ http.ResponseWriter, r *http.Request, d *data) (int, error) {
if r.Body == nil {
return http.StatusBadRequest, fberrors.ErrEmptyRequest
}
var body struct {
CurrentPassword string `json:"current_password"`
}
if err := json.NewDecoder(r.Body).Decode(&body); err != nil {
return http.StatusBadRequest, err
}
if d.settings.AuthMethod == auth.MethodJSONAuth {
if !users.CheckPwd(body.CurrentPassword, d.user.Password) {
return http.StatusBadRequest, fberrors.ErrCurrentPasswordIncorrect
}
}
err := d.store.Users.Delete(d.raw.(uint)) err := d.store.Users.Delete(d.raw.(uint))
if err != nil { if err != nil {
return errToStatus(err), err return errToStatus(err), err