casbin-bot
commented
3 weeks ago @tangyang9464 @JalinWang @imp2002
Closed seeleclover closed 3 weeks ago
casbin-bot
commented
3 weeks ago @tangyang9464 @JalinWang @imp2002
seeleclover
commented
3 weeks ago I found in the code that in Line 512 of the file controllers/user.go , in the SetPassword function, the variable newPassword was passed directly to targetUser.Password without hash encryption.
In addition, I also discovered another issue. In Line 513 of the file, the value of targetUser.NeedUpdatePassword is set to false, but immediately in Line 515, the object.UpdateUser method still takes "need_update_password" as an input parameter. Is there a corresponding relationship here?
dacongda
commented
3 weeks ago I found in the code that in Line 512 of the file
controllers/user.go, in theSetPasswordfunction, the variablenewPasswordwas passed directly totargetUser.Passwordwithout hash encryption.
In addition, I also discovered another issue. In Line 513 of the file, the value of
targetUser.NeedUpdatePasswordis set tofalse, but immediately in Line 515, theobject.UpdateUsermethod still takes "need_update_password" as an input parameter. Is there a corresponding relationship here?
the string array for UpdateUser define which column will be updated, so I add need_update_password to the array.
casbin-bot
commented
3 weeks ago :tada: This issue has been resolved in version 1.626.0 :tada:
The release is available on GitHub release
Your semantic-release bot :package::rocket:
After changing the password storage algorithm of the organization to bcrypt, I immediately created several users and set passwords under this organization. But I saw in the user table of the database that the user's password is still in plain text. May I ask if this is a security problem?