Merge pull request #695 from mprasil/do-not-leak-usernames - vw_small

commit e2e37129215a437619610ac530a01eb5a72e4d53
parent 77b78f09913e70c5f313980657b5c9ba02c2eb3b
Author: Daniel García <dani-garcia@users.noreply.github.com>
Date:   Sat,  2 Nov 2019 00:12:53 +0100

Merge pull request #695 from mprasil/do-not-leak-usernames

Stop leaking usernames when SIGNUPS_ALLOWED=false
Diffstat:
M src/api/core/accounts.rs  | 10 +++++++---

1 file changed, 7 insertions(+), 3 deletions(-)
diff --git a/src/api/core/accounts.rs b/src/api/core/accounts.rs
@@ -62,7 +62,11 @@ fn register(data: JsonUpcase<RegisterData>, conn: DbConn) -> EmptyResult {
     let mut user = match User::find_by_mail(&data.Email, &conn) {
         Some(user) => {
             if !user.password_hash.is_empty() {
-                err!("User already exists")
+                if CONFIG.signups_allowed() {
+                    err!("User already exists")
+                } else {
+                    err!("Registration not allowed or user already exists")
+                }
             }
 
             if let Some(token) = data.Token {
@@ -82,14 +86,14 @@ fn register(data: JsonUpcase<RegisterData>, conn: DbConn) -> EmptyResult {
             } else if CONFIG.signups_allowed() {
                 err!("Account with this email already exists")
             } else {
-                err!("Registration not allowed")
+                err!("Registration not allowed or user already exists")
             }
         }
         None => {
             if CONFIG.signups_allowed() || Invitation::take(&data.Email, &conn) {
                 User::new(data.Email.clone())
             } else {
-                err!("Registration not allowed")
+                err!("Registration not allowed or user already exists")
             }
         }
     };

	vw_small Hardened fork of Vaultwarden (https://github.com/dani-garcia/vaultwarden) with fewer features.
	git clone https://git.philomathiclife.com/repos/vw_small
	Log \| Files \| Refs \| README