Closed seeleclover closed 3 weeks ago
@tangyang9464 @JalinWang @imp2002
I found in the code that in Line 512 of the file controllers/user.go
, in the SetPassword
function, the variable newPassword
was passed directly to targetUser.Password
without hash encryption.
In addition, I also discovered another issue. In Line 513 of the file, the value of targetUser.NeedUpdatePassword
is set to false
, but immediately in Line 515, the object.UpdateUser
method still takes "need_update_password" as an input parameter. Is there a corresponding relationship here?
I found in the code that in Line 512 of the file
controllers/user.go
, in theSetPassword
function, the variablenewPassword
was passed directly totargetUser.Password
without hash encryption.
In addition, I also discovered another issue. In Line 513 of the file, the value of
targetUser.NeedUpdatePassword
is set tofalse
, but immediately in Line 515, theobject.UpdateUser
method still takes "need_update_password" as an input parameter. Is there a corresponding relationship here?
the string array for UpdateUser define which column will be updated, so I add need_update_password to the array.
:tada: This issue has been resolved in version 1.626.0 :tada:
The release is available on GitHub release
Your semantic-release bot :package::rocket:
After changing the password storage algorithm of the organization to bcrypt, I immediately created several users and set passwords under this organization. But I saw in the user table of the database that the user's password is still in plain text. May I ask if this is a security problem?