commit 00a11b1b784af6283a8321d240a309bb637d23a6
parent 77b78f09913e70c5f313980657b5c9ba02c2eb3b
Author: Miro Prasil <miro@circleci.com>
Date: Fri, 1 Nov 2019 22:34:42 +0000
Stop leaking usernames when SIGNUPS_ALLOWED=false
This fixes #691 - respond in less specific way to not leak the
fact that user is already registered on the server.
Diffstat:
1 file changed, 7 insertions(+), 3 deletions(-)
diff --git a/src/api/core/accounts.rs b/src/api/core/accounts.rs
@@ -62,7 +62,11 @@ fn register(data: JsonUpcase<RegisterData>, conn: DbConn) -> EmptyResult {
let mut user = match User::find_by_mail(&data.Email, &conn) {
Some(user) => {
if !user.password_hash.is_empty() {
- err!("User already exists")
+ if CONFIG.signups_allowed() {
+ err!("User already exists")
+ } else {
+ err!("Registration not allowed or user already exists")
+ }
}
if let Some(token) = data.Token {
@@ -82,14 +86,14 @@ fn register(data: JsonUpcase<RegisterData>, conn: DbConn) -> EmptyResult {
} else if CONFIG.signups_allowed() {
err!("Account with this email already exists")
} else {
- err!("Registration not allowed")
+ err!("Registration not allowed or user already exists")
}
}
None => {
if CONFIG.signups_allowed() || Invitation::take(&data.Email, &conn) {
User::new(data.Email.clone())
} else {
- err!("Registration not allowed")
+ err!("Registration not allowed or user already exists")
}
}
};
