fix: restrict default permissions for proxy-auth auto-provisioned users (#5890)

Co-authored-by: Henrique Dias <mail@hacdias.com>
2026-04-21 13:27:17 +00:00 · 2026-04-04 16:02:34 -04:00 · 2026-04-04 16:02:34 -04:00 · f13c7c8cff
commit f13c7c8cff
parent 1e03feadb5
2 changed files with 82 additions and 0 deletions
--- a/auth/proxy.go
+++ b/auth/proxy.go
@ -46,6 +46,9 @@ func (a ProxyAuth) createUser(usr users.Store, setting *settings.Settings, srv *
 		LockPassword: true,
 	}
 	setting.Defaults.Apply(user)
+	user.Perm.Admin = false
+	user.Perm.Execute = false
+	user.Commands = []string{}

 	var userHome string
 	userHome, err = setting.MakeUserDir(user.Username, user.Scope, srv.Root)
--- a/auth/proxy_test.go
+++ b/auth/proxy_test.go
@ -0,0 +1,79 @@
+package auth
+
+import (
+	"net/http"
+	"testing"
+
+	fberrors "github.com/filebrowser/filebrowser/v2/errors"
+	"github.com/filebrowser/filebrowser/v2/settings"
+	"github.com/filebrowser/filebrowser/v2/users"
+)
+
+type mockUserStore struct {
+	users map[string]*users.User
+}
+
+func (m *mockUserStore) Get(_ string, id interface{}) (*users.User, error) {
+	if v, ok := id.(string); ok {
+		if u, ok := m.users[v]; ok {
+			return u, nil
+		}
+	}
+	return nil, fberrors.ErrNotExist
+}
+
+func (m *mockUserStore) Gets(_ string) ([]*users.User, error) { return nil, nil }
+func (m *mockUserStore) Update(_ *users.User, _ ...string) error { return nil }
+func (m *mockUserStore) Save(user *users.User) error {
+	m.users[user.Username] = user
+	return nil
+}
+func (m *mockUserStore) Delete(_ interface{}) error { return nil }
+func (m *mockUserStore) LastUpdate(_ uint) int64     { return 0 }
+
+func TestProxyAuthCreateUserRestrictsDefaults(t *testing.T) {
+	t.Parallel()
+
+	store := &mockUserStore{users: make(map[string]*users.User)}
+	srv := &settings.Server{Root: t.TempDir()}
+
+	s := &settings.Settings{
+		Key:        []byte("key"),
+		AuthMethod: MethodProxyAuth,
+		Defaults: settings.UserDefaults{
+			Perm: users.Permissions{
+				Admin:    true,
+				Execute:  true,
+				Create:   true,
+				Rename:   true,
+				Modify:   true,
+				Delete:   true,
+				Share:    true,
+				Download: true,
+			},
+			Commands: []string{"git", "ls", "cat", "id"},
+		},
+	}
+
+	auth := ProxyAuth{Header: "X-Remote-User"}
+	req, _ := http.NewRequest(http.MethodGet, "/", http.NoBody)
+	req.Header.Set("X-Remote-User", "newproxyuser")
+
+	user, err := auth.Auth(req, store, s, srv)
+	if err != nil {
+		t.Fatalf("Auth() error: %v", err)
+	}
+
+	if user.Perm.Admin {
+		t.Error("auto-provisioned proxy user should not have Admin permission")
+	}
+	if user.Perm.Execute {
+		t.Error("auto-provisioned proxy user should not have Execute permission")
+	}
+	if len(user.Commands) != 0 {
+		t.Errorf("auto-provisioned proxy user should have empty Commands, got %v", user.Commands)
+	}
+	if !user.Perm.Create {
+		t.Error("auto-provisioned proxy user should retain Create permission from defaults")
+	}
+}