Browse Source
Merge pull request #695 from mprasil/do-not-leak-usernames
Stop leaking usernames when SIGNUPS_ALLOWED=false
pull/701/head
Daniel García
5 years ago
committed by
GitHub
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
1 changed files with
7 additions and
3 deletions
-
src/api/core/accounts.rs
|
|
|
@ -62,7 +62,11 @@ fn register(data: JsonUpcase<RegisterData>, conn: DbConn) -> EmptyResult { |
|
|
|
let mut user = match User::find_by_mail(&data.Email, &conn) { |
|
|
|
Some(user) => { |
|
|
|
if !user.password_hash.is_empty() { |
|
|
|
err!("User already exists") |
|
|
|
if CONFIG.signups_allowed() { |
|
|
|
err!("User already exists") |
|
|
|
} else { |
|
|
|
err!("Registration not allowed or user already exists") |
|
|
|
} |
|
|
|
} |
|
|
|
|
|
|
|
if let Some(token) = data.Token { |
|
|
|
@ -82,14 +86,14 @@ fn register(data: JsonUpcase<RegisterData>, conn: DbConn) -> EmptyResult { |
|
|
|
} else if CONFIG.signups_allowed() { |
|
|
|
err!("Account with this email already exists") |
|
|
|
} else { |
|
|
|
err!("Registration not allowed") |
|
|
|
err!("Registration not allowed or user already exists") |
|
|
|
} |
|
|
|
} |
|
|
|
None => { |
|
|
|
if CONFIG.signups_allowed() || Invitation::take(&data.Email, &conn) { |
|
|
|
User::new(data.Email.clone()) |
|
|
|
} else { |
|
|
|
err!("Registration not allowed") |
|
|
|
err!("Registration not allowed or user already exists") |
|
|
|
} |
|
|
|
} |
|
|
|
}; |
|
|
|
|
