From 00a11b1b784af6283a8321d240a309bb637d23a6 Mon Sep 17 00:00:00 2001 From: Miro Prasil Date: Fri, 1 Nov 2019 22:34:42 +0000 Subject: [PATCH] Stop leaking usernames when SIGNUPS_ALLOWED=false This fixes #691 - respond in less specific way to not leak the fact that user is already registered on the server. --- src/api/core/accounts.rs | 10 +++++++--- 1 file changed, 7 insertions(+), 3 deletions(-) diff --git a/src/api/core/accounts.rs b/src/api/core/accounts.rs index 3b16514..9c9e7da 100644 --- a/src/api/core/accounts.rs +++ b/src/api/core/accounts.rs @@ -62,7 +62,11 @@ fn register(data: JsonUpcase, conn: DbConn) -> EmptyResult { let mut user = match User::find_by_mail(&data.Email, &conn) { Some(user) => { if !user.password_hash.is_empty() { - err!("User already exists") + if CONFIG.signups_allowed() { + err!("User already exists") + } else { + err!("Registration not allowed or user already exists") + } } if let Some(token) = data.Token { @@ -82,14 +86,14 @@ fn register(data: JsonUpcase, conn: DbConn) -> EmptyResult { } else if CONFIG.signups_allowed() { err!("Account with this email already exists") } else { - err!("Registration not allowed") + err!("Registration not allowed or user already exists") } } None => { if CONFIG.signups_allowed() || Invitation::take(&data.Email, &conn) { User::new(data.Email.clone()) } else { - err!("Registration not allowed") + err!("Registration not allowed or user already exists") } } };