git-auth: deny login if no password has been set

Message ID 20190427130358.24001-1-lfleischer@archlinux.org
State Accepted, archived
Headers show
Series
  • git-auth: deny login if no password has been set
Related show

Commit Message

Lukas Fleischer April 27, 2019, 1:03 p.m. UTC
After creating a new account, users need to verify their email address
and set an initial password. Without setting a password, users cannot
use their account on the web interface. However, when logging in via
SSH, we did not check whether the account is verified.

Fix this by only allowing SSH access once a password is set.

Reported-by: Pat Hogan <pathtofile@gmail.com>
Signed-off-by: Lukas Fleischer <lfleischer@archlinux.org>
---
 aurweb/git/auth.py | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

Patch

diff --git a/aurweb/git/auth.py b/aurweb/git/auth.py
index 828ed4e..3b1e485 100755
--- a/aurweb/git/auth.py
+++ b/aurweb/git/auth.py
@@ -39,7 +39,8 @@  def main():
 
     cur = conn.execute("SELECT Users.Username, Users.AccountTypeID FROM Users "
                        "INNER JOIN SSHPubKeys ON SSHPubKeys.UserID = Users.ID "
-                       "WHERE SSHPubKeys.PubKey = ? AND Users.Suspended = 0",
+                       "WHERE SSHPubKeys.PubKey = ? AND Users.Suspended = 0 "
+                       "AND NOT Users.Passwd = ''",
                        (keytype + " " + keytext,))
 
     row = cur.fetchone()