diff --git a/redis.conf b/redis.conf index 5672f3c2c..4460e37b6 100644 --- a/redis.conf +++ b/redis.conf @@ -942,9 +942,9 @@ replica-priority 100 # "nopass" status. After "resetpass" the user has no associated # passwords and there is no way to authenticate without adding # some password (or setting it as "nopass" later). -# reset Performs the following actions: resetpass, resetkeys, off, -# -@all. The user returns to the same state it has immediately -# after its creation. +# reset Performs the following actions: resetpass, resetkeys, resetchannels, +# allchannels (if acl-pubsub-default is set), off, clearselectors, -@all. +# The user returns to the same state it has immediately after its creation. # () Create a new selector with the options specified within the # parentheses and attach it to the user. Each option should be # space separated. The first character must be ( and the last diff --git a/src/acl.c b/src/acl.c index 2f39e1fdc..5f3c8ffc6 100644 --- a/src/acl.c +++ b/src/acl.c @@ -384,6 +384,7 @@ user *ACLCreateUser(const char *name, size_t namelen) { user *u = zmalloc(sizeof(*u)); u->name = sdsnewlen(name,namelen); u->flags = USER_FLAG_DISABLED; + u->flags |= USER_FLAG_SANITIZE_PAYLOAD; u->passwords = listCreate(); listSetMatchMethod(u->passwords,ACLListMatchSds); listSetFreeMethod(u->passwords,ACLListFreeSds); @@ -1146,6 +1147,8 @@ int ACLSetSelector(aclSelector *selector, const char* op, size_t oplen) { * off Disable the user: it's no longer possible to authenticate * with this user, however the already authenticated connections * will still work. + * skip-sanitize-payload RESTORE dump-payload sanitization is skipped. + * sanitize-payload RESTORE dump-payload is sanitized (default). * > Add this password to the list of valid password for the user. * For example >mypass will add "mypass" to the list. * This directive clears the "nopass" flag (see later). @@ -1168,9 +1171,9 @@ int ACLSetSelector(aclSelector *selector, const char* op, size_t oplen) { * "nopass" status. After "resetpass" the user has no associated * passwords and there is no way to authenticate without adding * some password (or setting it as "nopass" later). - * reset Performs the following actions: resetpass, resetkeys, off, - * -@all. The user returns to the same state it has immediately - * after its creation. + * reset Performs the following actions: resetpass, resetkeys, resetchannels, + * allchannels (if acl-pubsub-default is set), off, clearselectors, -@all. + * The user returns to the same state it has immediately after its creation. * () Create a new selector with the options specified within the * parentheses and attach it to the user. Each option should be * space separated. The first character must be ( and the last diff --git a/tests/unit/acl.tcl b/tests/unit/acl.tcl index 3a1dcbf6c..0900d8e03 100644 --- a/tests/unit/acl.tcl +++ b/tests/unit/acl.tcl @@ -175,7 +175,7 @@ start_server {tags {"acl external:skip"}} { set curruser "hpuser" foreach user [lshuffle $users] { if {[string first $curruser $user] != -1} { - assert_equal {user hpuser on nopass resetchannels &foo +@all} $user + assert_equal {user hpuser on nopass sanitize-payload resetchannels &foo +@all} $user } } @@ -469,6 +469,27 @@ start_server {tags {"acl external:skip"}} { r AUTH newuser passwd1 } + test {ACL SETUSER RESET reverting to default newly created user} { + set current_user "example" + r ACL DELUSER $current_user + r ACL SETUSER $current_user + + set users [r ACL LIST] + foreach user [lshuffle $users] { + if {[string first $current_user $user] != -1} { + set current_user_output $user + } + } + + r ACL SETUSER $current_user reset + set users [r ACL LIST] + foreach user [lshuffle $users] { + if {[string first $current_user $user] != -1} { + assert_equal $current_user_output $user + } + } + } + # Note that the order of the generated ACL rules is not stable in Redis # so we need to match the different parts and not as a whole string. test {ACL GETUSER is able to translate back command permissions} {