Compare commits

...

1 Commits

Author SHA1 Message Date
Ginger f4784d48c1 fix: Forbid registering users with a non-local localpart 2026-02-20 20:39:38 -05:00
2 changed files with 13 additions and 0 deletions
+7
View File
@@ -252,6 +252,13 @@ pub(crate) async fn register_route(
}
}
// Don't allow registration with user IDs that aren't local
if !services.globals.user_is_local(&user_id) {
return Err!(Request(InvalidUsername(
"Username {body_username} is not local to this server"
)));
}
user_id
},
| Err(e) => {
+6
View File
@@ -184,6 +184,12 @@ pub async fn create(
password: Option<&str>,
origin: Option<&str>,
) -> Result<()> {
if !self.services.globals.user_is_local(user_id)
&& (password.is_some() || origin.is_some())
{
return Err!("Cannot create a nonlocal user with a set password or origin");
}
self.db
.userid_origin
.insert(user_id, origin.unwrap_or("password"));