[PR #14950] [MERGED] Deprecate HasPassword property on UserDto #14192

Closed
opened 2026-02-07 07:25:59 +03:00 by OVERLORD · 0 comments
Owner

📋 Pull Request Information

Original PR: https://github.com/jellyfin/jellyfin/pull/14950
Author: @nielsvanvelzen
Created: 10/5/2025
Status: Merged
Merged: 11/27/2025
Merged by: @nielsvanvelzen

Base: masterHead: security-remove-has-password


📝 Commits (2)

  • 0fb6d93 Deprecate HasPassword property on UserDto
  • d43db23 Add back UpdateUserPassword_Empty_RemoveSetPassword test

📊 Changes

6 files changed (+7 additions, -34 deletions)

View changed files

📝 Jellyfin.Server.Implementations/Users/DefaultAuthenticationProvider.cs (+1 -5)
📝 Jellyfin.Server.Implementations/Users/InvalidAuthProvider.cs (+0 -6)
📝 Jellyfin.Server.Implementations/Users/UserManager.cs (+0 -3)
📝 MediaBrowser.Controller/Authentication/IAuthenticationProvider.cs (+0 -2)
📝 MediaBrowser.Model/Dto/UserDto.cs (+6 -3)
📝 tests/Jellyfin.Server.Integration.Tests/Controllers/UserControllerTests.cs (+0 -15)

📄 Description

Changes

Deprecate the HasPassword and HasConfiguredPassword properties on UserDto. They're now nullable and a default value is always set to true. In addition, IAuthenticationProvider no longer provides a HasPassword method.

This fixes a long-standing security issue where users of a Jellyfin server could see if a different user has an empty password and public users were exposed to be passwordless to the entire internet.

Additionally fixes the deprecation of HasConfiguredEasyPassword (make nullable and provide default) so it can be removed in a future API version.

Impacted projects:

  • HasConfiguredPassword is used by jellyfin-web
  • HasPassword is used by jellyfin-web, jellyfin-kodi, jellyfin-vue and jellycon
  • LDAP plugin needs changes to remove the HasPassword method from IAuthenticationProvider.

Issues


🔄 This issue represents a GitHub Pull Request. It cannot be merged through Gitea due to API limitations.

## 📋 Pull Request Information **Original PR:** https://github.com/jellyfin/jellyfin/pull/14950 **Author:** [@nielsvanvelzen](https://github.com/nielsvanvelzen) **Created:** 10/5/2025 **Status:** ✅ Merged **Merged:** 11/27/2025 **Merged by:** [@nielsvanvelzen](https://github.com/nielsvanvelzen) **Base:** `master` ← **Head:** `security-remove-has-password` --- ### 📝 Commits (2) - [`0fb6d93`](https://github.com/jellyfin/jellyfin/commit/0fb6d930e1ca14d1d3af06ecee310869d2e86dfe) Deprecate HasPassword property on UserDto - [`d43db23`](https://github.com/jellyfin/jellyfin/commit/d43db230fa1ff6f371a9ab16063152f5b632e2e9) Add back UpdateUserPassword_Empty_RemoveSetPassword test ### 📊 Changes **6 files changed** (+7 additions, -34 deletions) <details> <summary>View changed files</summary> 📝 `Jellyfin.Server.Implementations/Users/DefaultAuthenticationProvider.cs` (+1 -5) 📝 `Jellyfin.Server.Implementations/Users/InvalidAuthProvider.cs` (+0 -6) 📝 `Jellyfin.Server.Implementations/Users/UserManager.cs` (+0 -3) 📝 `MediaBrowser.Controller/Authentication/IAuthenticationProvider.cs` (+0 -2) 📝 `MediaBrowser.Model/Dto/UserDto.cs` (+6 -3) 📝 `tests/Jellyfin.Server.Integration.Tests/Controllers/UserControllerTests.cs` (+0 -15) </details> ### 📄 Description **Changes** Deprecate the HasPassword and HasConfiguredPassword properties on UserDto. They're now nullable and a default value is always set to true. In addition, IAuthenticationProvider no longer provides a `HasPassword` method. This fixes a long-standing security issue where users of a Jellyfin server could see if a different user has an empty password and public users were exposed to be passwordless to the entire internet. Additionally fixes the deprecation of HasConfiguredEasyPassword (make nullable and provide default) so it can be removed in a future API version. Impacted projects: - HasConfiguredPassword is used by jellyfin-web - HasPassword is used by jellyfin-web, jellyfin-kodi, jellyfin-vue and jellycon - LDAP plugin needs changes to remove the `HasPassword` method from IAuthenticationProvider. **Issues** <!-- Tag any issues that this PR solves here. ex. Fixes # --> --- <sub>🔄 This issue represents a GitHub Pull Request. It cannot be merged through Gitea due to API limitations.</sub>
OVERLORD added the pull-request label 2026-02-07 07:25:59 +03:00
Sign in to join this conversation.
1 Participants
Notifications
Due Date
No due date set.
Dependencies

No dependencies set.

Reference: starred/jellyfin#14192