mirror of
https://github.com/jellyfin/jellyfin.git
synced 2026-07-16 05:43:54 +03:00
Able to create Admin user with empty password #6407
Reference in New Issue
Block a user
Delete Branch "%!s()"
Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?
Originally created by @LePips on GitHub (Oct 31, 2024).
This issue respects the following points:
Description of the bug
The server has moved to forbidding admin users with empty passwords when changing user passwords, however you can create a user that isn't an admin with an empty password and then make them an admin.
Tested on 10.9 and 10.10.
Reproduction steps
1 - Create normal user with empty password
2 - Update user policy
IsAdministratorto true, orAllow this user to manage the serverin web3 - Now user with empty password is admin
What is the current bug behavior?
An admin with empty password is allowed.
What is the expected correct behavior?
Probably an error, but I am honestly unsure of how to properly check this condition without looking at the password on server.
Jellyfin Server version
10.10.0+
Specify commit id
No response
Specify unstable release number
No response
Specify version number
No response
Specify the build version
10.10.0
Environment
N/A, is API issue.
Jellyfin logs
Get 200 🤷
FFmpeg logs
No response
Client / Browser logs
No response
Relevant screenshots or videos
No response
Additional information
No response
@nielsvanvelzen commented on GitHub (Nov 1, 2024):
The server does know when a password is empty, so returning an error is possible.