beenull/sftpgo-mirror
1
0
Fork 0
mirror of https://github.com/drakkan/sftpgo.git synced 2024-11-22 07:30:25 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions

unhide public keys

Browse source 
hiding public keys give no security improvement
This commit is contained in:
Nicola Murino 2019-10-03 15:29:54 +02:00
parent fb8ccfe824
commit bb0338870a
5 changed files with 4 additions and 10 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

3
api/api_utils.go
View file

@ -275,9 +275,6 @@ func checkUser(expected dataprovider.User, actual dataprovider.User) error {
if len(actual.Password) > 0 { if len(actual.Password) > 0 {
return errors.New("User password must not be visible") return errors.New("User password must not be visible")
} }
if len(actual.PublicKeys) > 0 {
return errors.New("User public keys must not be visible")
}
if expected.ID <= 0 { if expected.ID <= 0 {
if actual.ID <= 0 { if actual.ID <= 0 {
return errors.New("actual user ID must be > 0") return errors.New("actual user ID must be > 0")

6
api/schema/openapi.yaml
View file

@ -184,7 +184,7 @@ paths:
tags: tags:
- users - users
summary: Returns an array with one or more users summary: Returns an array with one or more users
description: For security reasons password and public key are empty in the response description: For security reasons passwords are empty in the response
operationId: get_users operationId: get_users
parameters: parameters:
- in: query - in: query
@ -311,7 +311,7 @@ paths:
tags: tags:
- users - users
summary: Find user by ID summary: Find user by ID
description: For security reasons password and public key are empty in the response description: For security reasons passwords are empty in the response
operationId: get_user_by_id operationId: get_user_by_id
parameters: parameters:
- name: userID - name: userID
@ -545,7 +545,7 @@ components:
items: items:
type: string type: string
nullable: true nullable: true
description: a password or at least one public key are mandatory. For security reasons this field is omitted when you search/get users. description: a password or at least one public key are mandatory.
home_dir: home_dir:
type: string type: string
description: path to the user home directory. The user cannot upload or download files outside this directory. SFTPGo tries to automatically create this folder if missing. Must be an absolute path description: path to the user home directory. The user cannot upload or download files outside this directory. SFTPGo tries to automatically create this folder if missing. Must be an absolute path

1
api/user.go
View file

@ -64,7 +64,6 @@ func getUserByID(w http.ResponseWriter, r *http.Request) {
user, err := dataprovider.GetUserByID(dataProvider, userID) user, err := dataprovider.GetUserByID(dataProvider, userID)
if err == nil { if err == nil {
user.Password = "" user.Password = ""
user.PublicKeys = []string{}
render.JSON(w, r, user) render.JSON(w, r, user)
} else if _, ok := err.(*dataprovider.RecordNotFoundError); ok { } else if _, ok := err.(*dataprovider.RecordNotFoundError); ok {
sendAPIResponse(w, r, err, "", http.StatusNotFound) sendAPIResponse(w, r, err, "", http.StatusNotFound)

1
dataprovider/bolt.go
View file

@ -303,7 +303,6 @@ func (p BoltProvider) close() error {
func getUserNoCredentials(user *User) User { func getUserNoCredentials(user *User) User {
user.Password = "" user.Password = ""
user.PublicKeys = []string{}
return *user return *user
} }

3
dataprovider/sqlcommon.go
View file

@ -202,10 +202,9 @@ func sqlCommonGetUsers(limit int, offset int, order string, username string, dbH
defer rows.Close() defer rows.Close()
for rows.Next() { for rows.Next() {
u, err := getUserFromDbRow(nil, rows) u, err := getUserFromDbRow(nil, rows)
// hide password and public key // hide password
if err == nil { if err == nil {
u.Password = "" u.Password = ""
u.PublicKeys = []string{}
users = append(users, u) users = append(users, u)
} else { } else {
break break