Allow set-password only if account is unitialized

2025-01-31 10:08:56 +01:00 · 2025-01-16 18:14:06 +01:00 · 2025-01-16 18:14:06 +01:00 · 6f9b88e572
Commit 6f9b88e572
--- a/src/api/core/accounts.rs
+++ b/src/api/core/accounts.rs
@ -262,6 +262,10 @@ async fn post_set_password(data: Json<SetPasswordData>, headers: Headers, mut co
    let data: SetPasswordData = data.into_inner();
    let mut user = headers.user;

+    if user.private_key.is_some() {
+        err!("Account already intialized cannot set password")
+    }
+
    // Check against the password hint setting here so if it fails, the user
    // can retry without losing their invitation below.
    let password_hint = clean_password_hint(&data.master_password_hint);