git-auth: deny login if no password has been set

After creating a new account, users need to verify their email address and set an initial password. Without setting a password, users cannot use their account on the web interface. However, when logging in via SSH, we did not check whether the account is verified. Fix this by only allowing SSH access once a password is set. Reported-by: Pat Hogan <pathtofile@gmail.com> Signed-off-by: Lukas Fleischer <lfleischer@archlinux.org>
author: Lukas Fleischer <lfleischer@archlinux.org> 2019-04-27 14:46:50 +0200
committer: Lukas Fleischer <lfleischer@archlinux.org> 2019-04-28 14:58:29 +0200
commit: dd11321fa362b357cdd12039ae11ec19c3d72fae (patch)
tree: 437604790f05d02b82bf9835fe66578511fa5ba9
parent: e3ca3c96e5fe87d6ea8123b02ea037cf8255adb9 (diff)
download: aur-dd11321fa362b357cdd12039ae11ec19c3d72fae.tar.gz
aur-dd11321fa362b357cdd12039ae11ec19c3d72fae.tar.xz
1 files changed, 2 insertions, 1 deletions
diff --git a/aurweb/git/auth.py b/aurweb/git/auth.py
index 828ed4e2..3b1e485f 100755
--- a/aurweb/git/auth.py
+++ b/aurweb/git/auth.py
@@ -39,7 +39,8 @@ def main():
 
     cur = conn.execute("SELECT Users.Username, Users.AccountTypeID FROM Users "
                        "INNER JOIN SSHPubKeys ON SSHPubKeys.UserID = Users.ID "
-                       "WHERE SSHPubKeys.PubKey = ? AND Users.Suspended = 0",
+                       "WHERE SSHPubKeys.PubKey = ? AND Users.Suspended = 0 "
+                       "AND NOT Users.Passwd = ''",
                        (keytype + " " + keytext,))
 
     row = cur.fetchone()
author	Lukas Fleischer <lfleischer@archlinux.org>	2019-04-27 14:46:50 +0200
committer	Lukas Fleischer <lfleischer@archlinux.org>	2019-04-28 14:58:29 +0200
commit	dd11321fa362b357cdd12039ae11ec19c3d72fae (patch)
tree	437604790f05d02b82bf9835fe66578511fa5ba9
parent	e3ca3c96e5fe87d6ea8123b02ea037cf8255adb9 (diff)
download	aur-dd11321fa362b357cdd12039ae11ec19c3d72fae.tar.gz aur-dd11321fa362b357cdd12039ae11ec19c3d72fae.tar.xz