fix changing password with non-existent user

2025-09-27 23:02:54 +02:00
parent fe0e8f8d0c
commit 6bc05bcca3
2 changed files with 12 additions and 2 deletions
--- a/luser/models.py
+++ b/luser/models.py
@@ -272,6 +272,10 @@ class LUSER():
        # Search LDAP entries that have object class inetOrgPerson and uid attribute equal to given user field
        self.ldapconnection.search(search_base=self.base,search_filter=f'(&(objectClass=inetOrgPerson)(uid={user}))', attributes=['userPassword'])

+        ## Check if user exists
+        if self.ldapconnection.response == []:
+            return False;
+
        # Return userPassword attribute from the response
        userpass = self.ldapconnection.response[0]['attributes']['userPassword'][0]
        
--- a/luser/routes.py
+++ b/luser/routes.py
@@ -36,8 +36,14 @@ def changepassword():
        # Create a LUSER connection
        luser = LUSER(LDAPHOST,LDAPADMINNAME,LDAPPASS,USERBASE,ALTUSERBASE)

-        if ldap_salted_sha1.verify(oldpassword, luser.getpassword(username)) == False and oldpassword != LDAPPASS:
-                return 'Wrong username/password combination'
+        # Retrive current password
+        currentpassword = luser.getpassword(username)
+
+        if currentpassword == False:
+            return 'User doesn't exist'
+
+        if ldap_salted_sha1.verify(oldpassword, currentpassword) == False and oldpassword != LDAPPASS:
+            return 'Wrong username/password combination'

        ldaphash = ldap_salted_sha1.hash(newpassword)
        althash = sha512_crypt.hash(newpassword)