From f9c56dbb09fca67e2b82e5aa789cfb7af0b123be Mon Sep 17 00:00:00 2001
From: antirez <antirez@gmail.com>
Date: Fri, 20 Mar 2020 12:45:48 +0100
Subject: [PATCH] ACL: default user off should not allow automatic
 authentication.

This fixes issue #7011.
---
 src/networking.c | 3 ++-
 src/server.c     | 2 +-
 2 files changed, 3 insertions(+), 2 deletions(-)

diff --git a/src/networking.c b/src/networking.c
index 0690bbdf6..69d59a59b 100644
--- a/src/networking.c
+++ b/src/networking.c
@@ -124,7 +124,8 @@ client *createClient(connection *conn) {
     c->ctime = c->lastinteraction = server.unixtime;
     /* If the default user does not require authentication, the user is
      * directly authenticated. */
-    c->authenticated = (c->user->flags & USER_FLAG_NOPASS) != 0;
+    c->authenticated = (c->user->flags & USER_FLAG_NOPASS) &&
+                       !(c->user->flags & USER_FLAG_DISABLED);
     c->replstate = REPL_STATE_NONE;
     c->repl_put_online_on_ack = 0;
     c->reploff = 0;
diff --git a/src/server.c b/src/server.c
index f702da94a..612805ce5 100644
--- a/src/server.c
+++ b/src/server.c
@@ -3380,7 +3380,7 @@ int processCommand(client *c) {
     /* Check if the user is authenticated. This check is skipped in case
      * the default user is flagged as "nopass" and is active. */
     int auth_required = (!(DefaultUser->flags & USER_FLAG_NOPASS) ||
-                           DefaultUser->flags & USER_FLAG_DISABLED) &&
+                          (DefaultUser->flags & USER_FLAG_DISABLED)) &&
                         !c->authenticated;
     if (auth_required) {
         /* AUTH and HELLO and no auth modules are valid even in