🐛 protect setup (#8030)

refs #7452 - we have to query the owner user by "inactive" status - otherwise it is possible to override the owner's email address
2017-02-27 20:07:00 +01:00 · 2017-02-27 20:07:00 +01:00 · dfde5d14f1
commit dfde5d14f1
parent 63723aa36a
1 changed files with 1 additions and 1 deletions
--- a/core/server/auth/auth-strategies.js
+++ b/core/server/auth/auth-strategies.js
@ -115,7 +115,7 @@ strategies = {
        };

        handleSetup = function handleSetup() {
-            return models.User.findOne({slug: 'ghost-owner', status: 'all'}, options)
+            return models.User.findOne({slug: 'ghost-owner', status: 'inactive'}, options)
                .then(function fetchedOwner(owner) {
                    if (!owner) {
                        throw new errors.NotFoundError({message: i18n.t('errors.models.user.userNotFound')});