Nemcio/NodeBB
1
0
Fork 0
mirror of https://github.com/NodeBB/NodeBB.git synced 2026-03-25 13:50:47 +01:00
Code Issues Packages Projects Releases Wiki Activity

fix: #14116, don't return ban reason if login credentials are incorrect

Browse Source
This commit is contained in:
Barış Soner Uşaklı
2026-03-23 09:43:15 -04:00
parent 43e7f0abb9
commit 9bcef6b5ea
2 changed files with 20 additions and 10 deletions
Download Patch File Download Diff File Expand all files Collapse all files

19
src/controllers/authentication.js
View File

@@ -409,21 +409,20 @@ authenticationController.localLogin = async function (req, username, password, n
userData.isAdminOrGlobalMod = isAdminOrGlobalMod;
if (!canLoginIfBanned) {
return next(await getBanError(uid));
}
// Doing this after the ban check, because user's privileges might change after a ban expires
const hasLoginPrivilege = await privileges.global.can('local:login', uid);
if (parseInt(uid, 10) && !hasLoginPrivilege) {
return next(new Error('[[error:local-login-disabled]]'));
}
try {
const passwordMatch = await user.isPasswordCorrect(uid, password, req.ip);
if (!passwordMatch) {
return next(new Error('[[error:invalid-login-credentials]]'));
}
if (!canLoginIfBanned) {
return next(await getBanError(uid));
}
// Doing this after the ban check, because user's privileges might change after a ban expires
const hasLoginPrivilege = await privileges.global.can('local:login', uid);
if (parseInt(uid, 10) && !hasLoginPrivilege) {
return next(new Error('[[error:local-login-disabled]]'));
}
} catch (e) {
if (req.loggedIn) {
await logoutAsync(req);

11
test/user.js
View File

@@ -1394,6 +1394,17 @@ describe('User', () => {
assert.strictEqual(await db.isSortedSetMember('users:banned', testUid), false);
});
it('should not return ban reason if login is incorrect', async () => {
const testUid = await User.create({ username: 'bannedUser4', password: '654321' });
await User.bans.ban(testUid, 0, 'testing bans');
let { response, body } = await helpers.loginUser('bannedUser4', '5555555');
assert.strictEqual(response.status, 403);
assert.strictEqual(body, '[[error:invalid-login-credentials]]');
({ response, body } = await helpers.loginUser('bannedUser4', '654321'));
assert.strictEqual(response.status, 403);
assert.strictEqual(body.reason, 'testing bans');
});
});
describe('Digest.getSubscribers', () => {