UniqAI/open-webui
1
0
Fork 0
mirror of https://github.com/open-webui/open-webui synced 2025-02-21 21:01:09 +00:00
Code Issues Actions 4 Packages Projects Releases Wiki Activity

Fixed security vulnerability: now LDAP password hashes are not stored, same as trusted header auth.

Browse Source 
LDAP users role now getting DEFAULT_USER_ROLE, not "pending".
This commit is contained in:
alexey_rechkalov 2024-11-21 18:05:02 +05:00
parent 6088acf36d
commit b1237cf389
1 changed files with 14 additions and 4 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

18
backend/open_webui/apps/webui/routers/auths.py
View File

@ -238,10 +238,20 @@ async def ldap_auth(request: Request, response: Response, form_data: LdapForm):
user = Users.get_user_by_email(mail) user = Users.get_user_by_email(mail)
if not user: if not user:
try: try:
hashed = get_password_hash(form_data.password) role = (
user = Auths.insert_new_auth(mail, hashed, cn) "admin"
if Users.get_num_users() == 0
else request.app.state.config.DEFAULT_USER_ROLE
)
user = Auths.insert_new_auth(
mail,
str(uuid.uuid4()),
cn,
None,
role,
)
if not user: if not user:
raise HTTPException( raise HTTPException(
@ -253,7 +263,7 @@ async def ldap_auth(request: Request, response: Response, form_data: LdapForm):
except Exception as err: except Exception as err:
raise HTTPException(500, detail=ERROR_MESSAGES.DEFAULT(err)) raise HTTPException(500, detail=ERROR_MESSAGES.DEFAULT(err))
user = Auths.authenticate_user(mail, password=str(form_data.password)) user = Auths.authenticate_user_by_trusted_header(mail)
if user: if user:
token = create_token( token = create_token(