unhide public keys

hiding public keys give no security improvement
2024-11-21 23:20:24 +00:00 · 2019-10-03 15:29:54 +02:00 · 2019-10-03 15:29:54 +02:00 · bb0338870a
commit bb0338870a
parent fb8ccfe824
5 changed files with 4 additions and 10 deletions
--- a/api/api_utils.go
+++ b/api/api_utils.go
@ -275,9 +275,6 @@ func checkUser(expected dataprovider.User, actual dataprovider.User) error {
 	if len(actual.Password) > 0 {
 		return errors.New("User password must not be visible")
 	}
-	if len(actual.PublicKeys) > 0 {
-		return errors.New("User public keys must not be visible")
-	}
 	if expected.ID <= 0 {
 		if actual.ID <= 0 {
 			return errors.New("actual user ID must be > 0")
--- a/api/schema/openapi.yaml
+++ b/api/schema/openapi.yaml
@ -184,7 +184,7 @@ paths:
      tags:
      - users
      summary: Returns an array with one or more users
-      description: For security reasons password and public key are empty in the response
+      description: For security reasons passwords are empty in the response
      operationId: get_users
      parameters:
        - in: query
@ -311,7 +311,7 @@ paths:
      tags:
      - users
      summary: Find user by ID
-      description: For security reasons password and public key are empty in the response
+      description: For security reasons passwords are empty in the response
      operationId: get_user_by_id
      parameters: 
      - name: userID
@ -545,7 +545,7 @@ components:
          items:
            type: string
          nullable: true
-          description: a password or at least one public key are mandatory. For security reasons this field is omitted when you search/get users.
+          description: a password or at least one public key are mandatory.
        home_dir:
          type: string
          description: path to the user home directory. The user cannot upload or download files outside this directory. SFTPGo tries to automatically create this folder if missing. Must be an absolute path
--- a/api/user.go
+++ b/api/user.go
@ -64,7 +64,6 @@ func getUserByID(w http.ResponseWriter, r *http.Request) {
 	user, err := dataprovider.GetUserByID(dataProvider, userID)
 	if err == nil {
 		user.Password = ""
-		user.PublicKeys = []string{}
 		render.JSON(w, r, user)
 	} else if _, ok := err.(*dataprovider.RecordNotFoundError); ok {
 		sendAPIResponse(w, r, err, "", http.StatusNotFound)
--- a/dataprovider/bolt.go
+++ b/dataprovider/bolt.go
@ -303,7 +303,6 @@ func (p BoltProvider) close() error {

 func getUserNoCredentials(user *User) User {
 	user.Password = ""
-	user.PublicKeys = []string{}
 	return *user
 }

--- a/dataprovider/sqlcommon.go
+++ b/dataprovider/sqlcommon.go
@ -202,10 +202,9 @@ func sqlCommonGetUsers(limit int, offset int, order string, username string, dbH
 		defer rows.Close()
 		for rows.Next() {
 			u, err := getUserFromDbRow(nil, rows)
-			// hide password and public key
+			// hide password
 			if err == nil {
 				u.Password = ""
-				u.PublicKeys = []string{}
 				users = append(users, u)
 			} else {
 				break