From f8a6132f1517a2d7520a11ed216d225e3e3fade5 Mon Sep 17 00:00:00 2001
From: antirez <antirez@gmail.com>
Date: Mon, 11 Feb 2019 16:47:02 +0100
Subject: ACL: refactor+fix AUTH check in processCommand().

The part that is fixed is that now if the default user is off whatever
is its configuration the user is not considered authenticated.
---
 src/server.c | 19 +++++++++++--------
 1 file changed, 11 insertions(+), 8 deletions(-)

diff --git a/src/server.c b/src/server.c
index c257d0573..289b1bd23 100644
--- a/src/server.c
+++ b/src/server.c
@@ -3298,14 +3298,17 @@ int processCommand(client *c) {
         return C_OK;
     }
 
-    /* Check if the user is authenticated */
-    if (!(DefaultUser->flags & USER_FLAG_NOPASS) &&
-        !c->authenticated &&
-        (c->cmd->proc != authCommand || c->cmd->proc == helloCommand))
-    {
-        flagTransaction(c);
-        addReply(c,shared.noautherr);
-        return C_OK;
+    /* Check if the user is authenticated. This check is skipped in case
+     * the default user is flagged as "nopass" and is active. */
+    int auth_required = !(DefaultUser->flags & USER_FLAG_NOPASS) &&
+                        !c->authenticated;
+    if (auth_required || DefaultUser->flags & USER_FLAG_DISABLED) {
+        /* AUTH and HELLO are valid even in non authenticated state. */
+        if (c->cmd->proc != authCommand || c->cmd->proc == helloCommand) {
+            flagTransaction(c);
+            addReply(c,shared.noautherr);
+            return C_OK;
+        }
     }
 
     /* Check if the user can run this command according to the current
-- 
cgit v1.2.1