From 6bc05bcca3b3f390a7514d1994aa73cb63bb2528 Mon Sep 17 00:00:00 2001 From: fram3d Date: Sat, 27 Sep 2025 23:02:54 +0200 Subject: [PATCH] fix changing password with non-existent user --- luser/models.py | 4 ++++ luser/routes.py | 10 ++++++++-- 2 files changed, 12 insertions(+), 2 deletions(-) diff --git a/luser/models.py b/luser/models.py index 7d8ae21..01ea6f0 100644 --- a/luser/models.py +++ b/luser/models.py @@ -272,6 +272,10 @@ class LUSER(): # Search LDAP entries that have object class inetOrgPerson and uid attribute equal to given user field self.ldapconnection.search(search_base=self.base,search_filter=f'(&(objectClass=inetOrgPerson)(uid={user}))', attributes=['userPassword']) + ## Check if user exists + if self.ldapconnection.response == []: + return False; + # Return userPassword attribute from the response userpass = self.ldapconnection.response[0]['attributes']['userPassword'][0] diff --git a/luser/routes.py b/luser/routes.py index e41b3e8..2d546e3 100644 --- a/luser/routes.py +++ b/luser/routes.py @@ -36,8 +36,14 @@ def changepassword(): # Create a LUSER connection luser = LUSER(LDAPHOST,LDAPADMINNAME,LDAPPASS,USERBASE,ALTUSERBASE) - if ldap_salted_sha1.verify(oldpassword, luser.getpassword(username)) == False and oldpassword != LDAPPASS: - return 'Wrong username/password combination' + # Retrive current password + currentpassword = luser.getpassword(username) + + if currentpassword == False: + return 'User doesn't exist' + + if ldap_salted_sha1.verify(oldpassword, currentpassword) == False and oldpassword != LDAPPASS: + return 'Wrong username/password combination' ldaphash = ldap_salted_sha1.hash(newpassword) althash = sha512_crypt.hash(newpassword)