diff options
| author | zeripath <art27@cantab.net> | 2021-12-17 03:03:39 +0100 |
|---|---|---|
| committer | GitHub <noreply@github.com> | 2021-12-17 03:03:39 +0100 |
| commit | d29b689f813ee83a4ec3526fbad7fb76a6958cc0 (patch) | |
| tree | 79283195a316f021c0831d7b24834e2052a597d8 /routers/api | |
| parent | Use JSON module instead of stdlib json (#18003) (diff) | |
| download | forgejo-d29b689f813ee83a4ec3526fbad7fb76a6958cc0.tar.xz forgejo-d29b689f813ee83a4ec3526fbad7fb76a6958cc0.zip | |
Ensure complexity, minlength and ispwned are checked on password setting (#18005)
It appears that there are several places that password length, complexity and ispwned
are not currently been checked when changing passwords. This PR adds these.
Fix #17977
Signed-off-by: Andrew Thornton <art27@cantab.net>
Co-authored-by: wxiaoguang <wxiaoguang@gmail.com>
Diffstat (limited to 'routers/api')
| -rw-r--r-- | routers/api/v1/admin/user.go | 5 |
1 files changed, 5 insertions, 0 deletions
diff --git a/routers/api/v1/admin/user.go b/routers/api/v1/admin/user.go index 44358b4bef..5d2bbdea2f 100644 --- a/routers/api/v1/admin/user.go +++ b/routers/api/v1/admin/user.go @@ -20,6 +20,7 @@ import ( "code.gitea.io/gitea/modules/convert" "code.gitea.io/gitea/modules/log" "code.gitea.io/gitea/modules/password" + "code.gitea.io/gitea/modules/setting" api "code.gitea.io/gitea/modules/structs" "code.gitea.io/gitea/modules/web" "code.gitea.io/gitea/routers/api/v1/user" @@ -173,6 +174,10 @@ func EditUser(ctx *context.APIContext) { } if len(form.Password) != 0 { + if len(form.Password) < setting.MinPasswordLength { + ctx.Error(http.StatusBadRequest, "PasswordTooShort", fmt.Errorf("password must be at least %d characters", setting.MinPasswordLength)) + return + } if !password.IsComplexEnough(form.Password) { err := errors.New("PasswordComplexity") ctx.Error(http.StatusBadRequest, "PasswordComplexity", err) |