Only allow local login if password is non-empty (#5906) (#5908)

author: zeripath <art27@cantab.net> 2019-01-30 21:46:19 +0000
committer: Lauris BH <lauris@nix.lv> 2019-01-30 23:46:19 +0200
commit: e5af93af20f45ba424ea15c51848f8f8bf51cc75 (patch)
tree: 444a66e0ee7507992a12e3e4fc35dd2819db4266
parent: 3f802a28464491b6b9b84579bac4fec53d4586db (diff)
download: gitea-e5af93af20f45ba424ea15c51848f8f8bf51cc75.tar.gz
gitea-e5af93af20f45ba424ea15c51848f8f8bf51cc75.zip
2 files changed, 2 insertions, 2 deletions
diff --git a/models/login_source.go b/models/login_source.go
index 25c7aa3120..46bf3a5e3a 100644
--- a/models/login_source.go
+++ b/models/login_source.go
@@ -644,7 +644,7 @@ func UserSignIn(username, password string) (*User, error) {
 	if hasUser {
 		switch user.LoginType {
 		case LoginNoType, LoginPlain, LoginOAuth2:
-			if user.ValidatePassword(password) {
+			if user.IsPasswordSet() && user.ValidatePassword(password) {
 				return user, nil
 			}
 
diff --git a/modules/lfs/server.go b/modules/lfs/server.go
index f0f2d4bf44..58acbb807e 100644
--- a/modules/lfs/server.go
+++ b/modules/lfs/server.go
@@ -582,7 +582,7 @@ func parseToken(authorization string) (*models.User, *models.Repository, string,
 		if err != nil {
 			return nil, nil, "basic", err
 		}
-		if !u.ValidatePassword(password) {
+		if !u.IsPasswordSet() || !u.ValidatePassword(password) {
 			return nil, nil, "basic", fmt.Errorf("Basic auth failed")
 		}
 		return u, nil, "basic", nil
author	zeripath <art27@cantab.net>	2019-01-30 21:46:19 +0000
committer	Lauris BH <lauris@nix.lv>	2019-01-30 23:46:19 +0200
commit	e5af93af20f45ba424ea15c51848f8f8bf51cc75 (patch)
tree	444a66e0ee7507992a12e3e4fc35dd2819db4266
parent	3f802a28464491b6b9b84579bac4fec53d4586db (diff)
download	gitea-e5af93af20f45ba424ea15c51848f8f8bf51cc75.tar.gz gitea-e5af93af20f45ba424ea15c51848f8f8bf51cc75.zip