actual

github-starred/actual

Fork 0

mirror of https://github.com/actualbudget/actual.git synced 2026-03-22 00:13:45 -05:00

Commit Graph

Author	SHA1	Message	Date
Matiss Janis Aboltins	53cdc6fa48	[AI] Further hardening of "/change-password" endpoint (#7207 ) * [AI] Fix OIDC privilege escalation in /change-password endpoint Add admin role check and password auth_method session check to prevent non-admin or OIDC-authenticated users from changing the server password. Previously, any authenticated user could overwrite the password hash and then login via password method to obtain an ADMIN session. https://claude.ai/code/session_01Wne9FY2QnKp6JF7g61B1Sn * Add release notes for PR #7207 --------- Co-authored-by: Claude <noreply@anthropic.com> Co-authored-by: github-actions[bot] <github-actions[bot]@users.noreply.github.com>	2026-03-17 08:16:46 +00:00

Author

SHA1

Message

Date

Matiss Janis Aboltins

53cdc6fa48

[AI] Further hardening of "/change-password" endpoint (#7207 )

* [AI] Fix OIDC privilege escalation in /change-password endpoint

Add admin role check and password auth_method session check to prevent
non-admin or OIDC-authenticated users from changing the server password.
Previously, any authenticated user could overwrite the password hash and
then login via password method to obtain an ADMIN session.

https://claude.ai/code/session_01Wne9FY2QnKp6JF7g61B1Sn

* Add release notes for PR #7207

---------

Co-authored-by: Claude <noreply@anthropic.com>
Co-authored-by: github-actions[bot] <github-actions[bot]@users.noreply.github.com>

2026-03-17 08:16:46 +00:00

1 Commits