From 6f9b88e5720f049a62e839cb327579f647dfb20f Mon Sep 17 00:00:00 2001
From: Timshel <Timshel@users.noreply.github.com>
Date: Thu, 16 Jan 2025 18:14:06 +0100
Subject: [PATCH] Allow set-password only if account is unitialized

---
 src/api/core/accounts.rs | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/src/api/core/accounts.rs b/src/api/core/accounts.rs
index a0fa60e9..ec2f30b6 100644
--- a/src/api/core/accounts.rs
+++ b/src/api/core/accounts.rs
@@ -262,6 +262,10 @@ async fn post_set_password(data: Json<SetPasswordData>, headers: Headers, mut co
     let data: SetPasswordData = data.into_inner();
     let mut user = headers.user;
 
+    if user.private_key.is_some() {
+        err!("Account already intialized cannot set password")
+    }
+
     // Check against the password hint setting here so if it fails, the user
     // can retry without losing their invitation below.
     let password_hint = clean_password_hint(&data.master_password_hint);