security fix, do not pass smtp password with front-end

2025-01-31 16:42:22 +01:00 · 2022-02-01 23:34:05 +01:00 · 2022-02-01 23:34:05 +01:00 · 2a07026590
commit 2a07026590
parent 00a47be884
2 changed files with 8 additions and 1 deletions
--- a/components/admin/Settings.vue
+++ b/components/admin/Settings.vue
@ -83,7 +83,7 @@ export default {
  computed: {
    ...mapState(['settings']),
    showSMTPAlert () {
-      return !this.setup && (!this.settings.admin_email || !this.settings.smtp || !this.settings.smtp.host || !this.settings.smtp.user)
+      return !this.setup && (!this.settings.admin_email || !this.settings.smtp || !this.settings.smtp.host || !this.settings.smtp.auth.user)
    },
    instance_locale: {
      get () { return this.settings.instance_locale },
--- a/server/helpers.js
+++ b/server/helpers.js
@ -65,6 +65,13 @@ module.exports = {
    // initialize settings
    req.settings = { ...settingsController.settings }

+    if (req.settings.smtp && req.settings.smtp.auth && req.settings.smtp.auth.pass) {
+      if (req.user.is_admin) {
+        delete req.settings.smtp.auth.pass
+      } else {
+        delete req.settings.smtp
+      }
+    }
    req.settings.baseurl = config.baseurl
    req.settings.hostname = config.hostname
    req.settings.title = req.settings.title || config.title