jyapayne/langflow
1
0
Fork 0
Code Issues Pull requests Projects Releases 1 Packages Wiki Activity Actions

🐛 fix(users.py): prevent users from changing their password in the patch_user endpoint to ensure security

Browse source 
🐛 fix(users.py): prevent users from using their current password when resetting their password to ensure security
This commit is contained in:
Gabriel Luiz Freitas Almeida 2023-09-08 16:42:56 -03:00
commit a68535cbe4
1 changed files with 8 additions and 0 deletions
Download patch file Download diff file Expand all files Collapse all files

8
src/backend/langflow/api/v1/users.py
View file

@ -97,6 +97,10 @@ def patch_user(
raise HTTPException(
status_code=403, detail="You don't have the permission to update this user"
)
if user.password:
raise HTTPException(
status_code=400, detail="You can't change your password here"
)
if user_db := get_user_by_id(session, user_id):
return update_user(user_db, user_update, session)
@ -122,6 +126,10 @@ def reset_password(
if not user:
raise HTTPException(status_code=404, detail="User not found")
new_password = get_password_hash(user_update.password)
if new_password == user.password:
raise HTTPException(
status_code=400, detail="You can't use your current password"
)
user.password = new_password
session.commit()
session.refresh(user)