From: Jeff Halter <redacted>
Date: Mon, 6 May 2024 00:29:30 +0000 (-0700)
Subject: Fix bug that clears account password on permission edit
X-Git-Url: https://git.r.bdr.sh/rbdr/mobius/commitdiff_plain/b33477b0f589c8a25bc8077756155791bb763233?ds=inline

Fix bug that clears account password on permission edit
---

diff --git a/hotline/transaction_handlers.go b/hotline/transaction_handlers.go
index 1ef8ad3..2275319 100644
--- a/hotline/transaction_handlers.go
+++ b/hotline/transaction_handlers.go
@@ -793,15 +793,24 @@ func HandleUpdateUser(cc *ClientConn, t *Transaction) (res []Transaction, err er
 		if acc, ok := cc.Server.Accounts[login]; ok {
 			cc.logger.Infow("UpdateUser", "login", login)
 
-			// account dataFile, so this is an update action
+			// account exists, so this is an update action
 			if !cc.Authorize(accessModifyUser) {
 				res = append(res, cc.NewErrReply(t, "You are not allowed to modify accounts."))
 				return res, err
 			}
 
+			// This part is a bit tricky. There are three possibilities:
+			// 1) The transaction is intended to update the password.
+			//	  In this case, FieldUserPassword is sent with the new password.
+			// 2) The transaction is intended to remove the password.
+			//    In this case, FieldUserPassword is not sent.
+			// 3) The transaction updates the users access bits, but not the password.
+			//    In this case, FieldUserPassword is sent with zero as the only byte..
 			if getField(FieldUserPassword, &subFields) != nil {
 				newPass := getField(FieldUserPassword, &subFields).Data
-				acc.Password = hashAndSalt(newPass)
+				if !bytes.Equal([]byte{0}, newPass) {
+					acc.Password = hashAndSalt(newPass)
+				}
 			} else {
 				acc.Password = hashAndSalt([]byte(""))
 			}