mirror of
https://github.com/jellyfin/jellyfin.git
synced 2026-07-16 05:43:54 +03:00
[PR #14950] [MERGED] Deprecate HasPassword property on UserDto #14192
Reference in New Issue
Block a user
Delete Branch "%!s()"
Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?
📋 Pull Request Information
Original PR: https://github.com/jellyfin/jellyfin/pull/14950
Author: @nielsvanvelzen
Created: 10/5/2025
Status: ✅ Merged
Merged: 11/27/2025
Merged by: @nielsvanvelzen
Base:
master← Head:security-remove-has-password📝 Commits (2)
0fb6d93Deprecate HasPassword property on UserDtod43db23Add back UpdateUserPassword_Empty_RemoveSetPassword test📊 Changes
6 files changed (+7 additions, -34 deletions)
View changed files
📝
Jellyfin.Server.Implementations/Users/DefaultAuthenticationProvider.cs(+1 -5)📝
Jellyfin.Server.Implementations/Users/InvalidAuthProvider.cs(+0 -6)📝
Jellyfin.Server.Implementations/Users/UserManager.cs(+0 -3)📝
MediaBrowser.Controller/Authentication/IAuthenticationProvider.cs(+0 -2)📝
MediaBrowser.Model/Dto/UserDto.cs(+6 -3)📝
tests/Jellyfin.Server.Integration.Tests/Controllers/UserControllerTests.cs(+0 -15)📄 Description
Changes
Deprecate the HasPassword and HasConfiguredPassword properties on UserDto. They're now nullable and a default value is always set to true. In addition, IAuthenticationProvider no longer provides a
HasPasswordmethod.This fixes a long-standing security issue where users of a Jellyfin server could see if a different user has an empty password and public users were exposed to be passwordless to the entire internet.
Additionally fixes the deprecation of HasConfiguredEasyPassword (make nullable and provide default) so it can be removed in a future API version.
Impacted projects:
HasPasswordmethod from IAuthenticationProvider.Issues
🔄 This issue represents a GitHub Pull Request. It cannot be merged through Gitea due to API limitations.