From ddb77fc43cd8ef5f94fe3476a0d36d30c35fe7db Mon Sep 17 00:00:00 2001 From: Hyu Date: Fri, 26 Jun 2026 16:35:50 +0800 Subject: [PATCH] fix(api): guard /set-password with allow_modify_login_info (#2288) The /change-password and /bind-space endpoints already refuse when system.allow_modify_login_info is false, but /set-password did not, leaving a path to alter login credentials on locked-down deployments (e.g. public demo instances). Apply the same guard. Co-authored-by: dadachann <185672915+dadachann@users.noreply.github.com> --- src/langbot/pkg/api/http/controller/groups/user.py | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/src/langbot/pkg/api/http/controller/groups/user.py b/src/langbot/pkg/api/http/controller/groups/user.py index e86d6d1e2..886dc5d0d 100644 --- a/src/langbot/pkg/api/http/controller/groups/user.py +++ b/src/langbot/pkg/api/http/controller/groups/user.py @@ -195,6 +195,13 @@ class UserRouterGroup(group.RouterGroup): @self.route('/set-password', methods=['POST'], auth_type=group.AuthType.USER_TOKEN) async def _(user_email: str) -> str: """Set password for Space account (first time) or change password""" + # Check if modifying login info is allowed + allow_modify_login_info = self.ap.instance_config.data.get('system', {}).get( + 'allow_modify_login_info', True + ) + if not allow_modify_login_info: + return self.http_status(403, -1, 'Modifying login info is disabled') + json_data = await quart.request.json new_password = json_data.get('new_password') current_password = json_data.get('current_password')