From 70f8b4d49510d9e4a67ad62657da02cb519e7998 Mon Sep 17 00:00:00 2001 From: Nicola Murino Date: Sat, 25 Jan 2025 16:40:53 +0100 Subject: [PATCH] WebAdmin: allow to create admins with an unusable password Signed-off-by: Nicola Murino --- internal/httpd/httpd_test.go | 7 ------- internal/httpd/webadmin.go | 6 +++++- 2 files changed, 5 insertions(+), 8 deletions(-) diff --git a/internal/httpd/httpd_test.go b/internal/httpd/httpd_test.go index 026b2bc5..e77e86e5 100644 --- a/internal/httpd/httpd_test.go +++ b/internal/httpd/httpd_test.go @@ -20871,13 +20871,6 @@ func TestWebAdminBasicMock(t *testing.T) { assert.Contains(t, rr.Body.String(), util.I18nError500Message) form.Set("default_users_expiration", "10") - req, _ = http.NewRequest(http.MethodPost, webAdminPath, bytes.NewBuffer([]byte(form.Encode()))) - req.RemoteAddr = defaultRemoteAddr - req.Header.Set("Content-Type", "application/x-www-form-urlencoded") - setJWTCookieForReq(req, token) - rr = executeRequest(req) - checkResponseCode(t, http.StatusOK, rr) - form.Set("password", admin.Password) req, _ = http.NewRequest(http.MethodPost, webAdminPath, bytes.NewBuffer([]byte(form.Encode()))) req.RemoteAddr = defaultRemoteAddr diff --git a/internal/httpd/webadmin.go b/internal/httpd/webadmin.go index 0a1cbc34..a32afca0 100644 --- a/internal/httpd/webadmin.go +++ b/internal/httpd/webadmin.go @@ -3111,7 +3111,11 @@ func (s *httpdServer) handleWebAddAdminPost(w http.ResponseWriter, r *http.Reque s.renderAddUpdateAdminPage(w, r, &admin, err, true) return } - if admin.Password == "" && s.binding.isWebAdminLoginFormDisabled() { + if admin.Password == "" { + // Administrators can be used with OpenID Connect or for authentication + // via API key, in these cases the password is not necessary, we create + // a non-usable one. This feature is only useful for WebAdmin, in REST + // API you can create an unusable password externally. admin.Password = util.GenerateUniqueID() } ipAddr := util.GetIPFromRemoteAddress(r.RemoteAddr)