fix masterkey auth

2025-09-04 04:04:17 +08:00 · 2025-06-07 07:11:38 +05:30 · 2025-06-07 07:11:38 +05:30 · 6bec2164a0
commit 6bec2164a0
parent 968ffe4db2
3 changed files with 19 additions and 10 deletions
--- a/controllers/user.go
+++ b/controllers/user.go
@ -710,6 +710,10 @@ func createUser(w http.ResponseWriter, r *http.Request) {
 	if !servercfg.IsPro {
 		user.PlatformRoleID = models.AdminRole
 	}
+	if user.UserName == logic.MasterUser {
+		logic.ReturnErrorResponse(w, r, logic.FormatError(errors.New("username not allowed"), "badrequest"))
+		return
+	}

 	if user.PlatformRoleID == "" {
 		logic.ReturnErrorResponse(w, r, logic.FormatError(errors.New("platform role is missing"), "badrequest"))
--- a/logic/auth.go
+++ b/logic/auth.go
@ -282,6 +282,10 @@ func UpdateUser(userchange, user *models.User) (*models.User, error) {
 		if _, err := GetUser(userchange.UserName); err == nil {
 			return &models.User{}, errors.New("username exists already")
 		}
+		if userchange.UserName == MasterUser {
+			return &models.User{}, errors.New("username not allowed")
+		}
+
 		user.UserName = userchange.UserName
 	}
 	if userchange.Password != "" {
--- a/logic/security.go
+++ b/logic/security.go
@ -33,17 +33,18 @@ func SecurityCheck(reqAdmin bool, next http.Handler) http.HandlerFunc {
 			ReturnErrorResponse(w, r, FormatError(err, "unauthorized"))
 			return
 		}
+		if username != MasterUser {
+			user, err := GetUser(username)
+			if err != nil {
+				ReturnErrorResponse(w, r, FormatError(err, "unauthorized"))
+				return
+			}

-		user, err := GetUser(username)
-		if err != nil {
-			ReturnErrorResponse(w, r, FormatError(err, "unauthorized"))
-			return
-		}
-
-		if user.AccountDisabled {
-			err = errors.New("user account disabled")
-			ReturnErrorResponse(w, r, FormatError(err, "unauthorized"))
-			return
+			if user.AccountDisabled {
+				err = errors.New("user account disabled")
+				ReturnErrorResponse(w, r, FormatError(err, "unauthorized"))
+				return
+			}
 		}

 		// detect masteradmin