8000 fix: prevent guest user from updating profile by yclw · Pull Request #8447 · AlistGo/alist · GitHub
[go: up one dir, main page]
More Web Proxy on the site http://driver.im/
Skip to content

fix: prevent guest user from updating profile #8447

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 1 commit into from
Apr 29, 2025
Merged

fix: prevent guest user from updating profile #8447

merged 1 commit into from
Apr 29, 2025

Conversation

yclw
Copy link
Contributor
@yclw yclw commented Apr 27, 2025

Problem Description

Currently, if the guest account is enabled, anyone can modify the guest user's username and password through the /api/me/update API endpoint without any authentication (something that even admins cannot do through the user management interface). While testing has not revealed any severe security issues, I believe no one wants to see the GUEST username changed to "You are cute" (⁄ ⁄•⁄ω⁄•⁄ ⁄) .

postman post1

admin user1

Changes Made

Added a check for Guest users in the UpdateCurrent function. When a Guest user attempts to modify their profile information, the system now returns a 403 error and blocks the operation. This is consistent with restrictions applied to Guest users in other functions (such as Generate2FA).

This small change ensures your GUEST user won't suddenly become unexpectedly charming without your permission.

@petercat-assistant PeterCat-assistant
Copy link

Walkthrough

This pull request addresses a security issue where guest users could modify their profile information without authentication. The change introduces a check in the UpdateCurrent function to prevent guest users from updating their username and password, returning a 403 error if attempted.

Changes

File Summary
server/handles/auth.go Added a condition to block guest users from updating their profile, ensuring a 403 error is returned when such an attempt is made.

@xhofe xhofe merged commit 11e7284 into AlistGo:main Apr 29, 2025
12 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@petercat-assistant petercat-assistant[bot] petercat-assistant[bot] left review comments

@xrgzs xrgzs xrgzs approved these changes

@xhofe xhofe xhofe approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@yclw @xrgzs @xhofe
0