kallithea Changeset - 995254e30c7b

Changeset - 995254e30c7b

Parent rev.

Child rev.

[Not reviewed]

default

0 1 0

Mads Kiilerich - 9 years ago 2016-09-12 17:41:19
madski@unity3d.com

user: when updating a user, never set the password to None - the field is not nullable

We also don't allow setting empty password. Setting the database value to empty
string is secure but will never match any password.

1 file changed with 1 insertions and 1 deletions:

kallithea/model/user.py

0 comments (0 inline, 0 general)

kallithea/model/user.py

➞

Show inline comments

@@ @@ -154,25 +154,25 @@ class UserModel(BaseModel): @@
             new_user.lastname = lastname
             if not edit:
                 new_user.api_key = generate_api_key()
             # set password only if creating an user or password is changed
             password_change = new_user.password and \
                 not check_password(password, new_user.password)
             if not edit or password_change:
                 reason = 'new password' if edit else 'new user'
                 log.debug('Updating password reason=>%s', reason)
                 new_user.password = get_crypt_password(password) \
-                    if password else None
+                    if password else ''
             self.sa.add(new_user)
             if not edit:
                 log_create_user(new_user.get_dict(), cur_user)
             return new_user
         except (DatabaseError,):
             log.error(traceback.format_exc())
             raise
     def create_registration(self, form_data):
         from kallithea.model.notification import NotificationModel

0 comments (0 inline, 0 general)