[GH-ISSUE #852] admin:admin cannot be deactivated #3552

New issue

Closed

opened 2026-02-28 11:56:38 +03:00 by kerem · 12 comments

kerem commented 2026-02-28 11:56:38 +03:00

Owner

Copy link

Originally created by @soekdd on GitHub (Feb 6, 2025).
Original GitHub issue: https://github.com/0xJacky/nginx-ui/issues/852

Description

The standard-user 'admin' cannot ba deleted (because its an inital user, ok), cannot be modfifed or deactivated (because of demo-mode). But the demo mode is not actived:

app.ini

[node]
Name                 =
SkipInstallation     = false
Demo                 = false
ICPNumber            =
PublicSecurityNumber =

Info:

• Server OS: Debian GNU/Linux 12 (bookworm)
• Nginx UI Version: v2.0.0-rc.1
• Your Browser: Chrome

Originally created by @soekdd on GitHub (Feb 6, 2025). Original GitHub issue: https://github.com/0xJacky/nginx-ui/issues/852 **Description** The standard-user 'admin' cannot ba deleted (because its an inital user, ok), cannot be modfifed or deactivated (because of demo-mode). But the demo mode is not actived: app.ini ``` ini [node] Name = SkipInstallation = false Demo = false ICPNumber = PublicSecurityNumber = ``` **Info:** - Server OS: Debian GNU/Linux 12 (bookworm) - Nginx UI Version: v2.0.0-rc.1 - Your Browser: Chrome

kerem 2026-02-28 11:56:38 +03:00

• closed this issue
• added the
  bug
  label

kerem commented 2026-02-28 11:56:38 +03:00

Author

Owner

Copy link

@soekdd commented on GitHub (Feb 6, 2025):

Demo                 = 0

doesnt work either...

<!-- gh-comment-id:2638911101 --> @soekdd commented on GitHub (Feb 6, 2025): ``` Demo = 0 ``` doesnt work either...

kerem commented 2026-02-28 11:56:38 +03:00

Author

Owner

Copy link

@soekdd commented on GitHub (Feb 6, 2025):

c.ModifyHook(func(c *cosy.Ctx[model.User]) {
		c.BeforeDecodeHook(func(ctx *cosy.Ctx[model.User]) {
			if ctx.ID == 1 {
				ctx.AbortWithError(user.ErrChangeInitUserPwdInDemo)
			}
		})
		c.BeforeDecodeHook(encryptPassword)
	})

Unfortunately I'm not common with go. But it looks like you dont check for demo mode.

<!-- gh-comment-id:2638942959 --> @soekdd commented on GitHub (Feb 6, 2025): ``` c.ModifyHook(func(c *cosy.Ctx[model.User]) { c.BeforeDecodeHook(func(ctx *cosy.Ctx[model.User]) { if ctx.ID == 1 { ctx.AbortWithError(user.ErrChangeInitUserPwdInDemo) } }) c.BeforeDecodeHook(encryptPassword) }) ``` Unfortunately I'm not common with go. But it looks like you dont check for demo mode.

kerem commented 2026-02-28 11:56:38 +03:00

Author

Owner

Copy link

@0xJacky commented on GitHub (Feb 6, 2025):

Thank you for the report, i will fix it later.

<!-- gh-comment-id:2638956182 --> @0xJacky commented on GitHub (Feb 6, 2025): Thank you for the report, i will fix it later.

kerem commented 2026-02-28 11:56:38 +03:00

Author

Owner

Copy link

@0xJacky commented on GitHub (Feb 6, 2025):

Fixed in 7049599, please reinstall the latest version of v2.0.0-rc.1.

<!-- gh-comment-id:2639373353 --> @0xJacky commented on GitHub (Feb 6, 2025): Fixed in [7049599](https://github.com/0xJacky/nginx-ui/commit/70495999223c0f437be41aa7d69ace5480342f4d), please reinstall the latest version of v2.0.0-rc.1.

kerem commented 2026-02-28 11:56:38 +03:00

Author

Owner

Copy link

@soekdd commented on GitHub (Feb 6, 2025):

Great job!

<!-- gh-comment-id:2639446244 --> @soekdd commented on GitHub (Feb 6, 2025): Great job!

kerem commented 2026-02-28 11:56:38 +03:00

Author

Owner

Copy link

@soekdd commented on GitHub (Feb 6, 2025):

Sorry, I'll have to ask you to open the ticket again:
I have installed your new version: Change password responds with a success message, but it does not change the password. So admin:admin remains active. Changing the passwords of all other users also fails.

BTW: I wish you would not transmit the password (either when logging in or when changing the password) unencrypted.

<!-- gh-comment-id:2639482428 --> @soekdd commented on GitHub (Feb 6, 2025): Sorry, I'll have to ask you to open the ticket again: I have installed your new version: Change password responds with a success message, but it does not change the password. So admin:admin remains active. Changing the passwords of all other users also fails. BTW: I wish you would not transmit the password (either when logging in or when changing the password) unencrypted.

kerem commented 2026-02-28 11:56:38 +03:00

Author

Owner

Copy link

@0xJacky commented on GitHub (Feb 6, 2025):

Oops, I will fix it again later. By the way, this is the autocomplete function of the browser, and it is not nginx-ui to change the password unencrypted.

<!-- gh-comment-id:2639494743 --> @0xJacky commented on GitHub (Feb 6, 2025): Oops, I will fix it again later. By the way, this is the autocomplete function of the browser, and it is not nginx-ui to change the password unencrypted.

kerem commented 2026-02-28 11:56:38 +03:00

Author

Owner

Copy link

@soekdd commented on GitHub (Feb 6, 2025):

Nope, the passwords are in plain text in your web service calls:

{
    "name": "soek",
    "password": "0xJacky!sTheB3st",
    "otp": "",
    "recovery_code": ""
}

<!-- gh-comment-id:2639542640 --> @soekdd commented on GitHub (Feb 6, 2025): Nope, the passwords are in plain text in your web service calls: ``` { "name": "soek", "password": "0xJacky!sTheB3st", "otp": "", "recovery_code": "" } ```

kerem commented 2026-02-28 11:56:38 +03:00

Author

Owner

Copy link

@0xJacky commented on GitHub (Feb 6, 2025):

Currently, it will be encrypted when it's stored to the database, but the request was made without encryption. I will try to enhance this.

<!-- gh-comment-id:2639563983 --> @0xJacky commented on GitHub (Feb 6, 2025): Currently, it will be encrypted when it's stored to the database, but the request was made without encryption. I will try to enhance this.

kerem commented 2026-02-28 11:56:38 +03:00

Author

Owner

Copy link

@0xJacky commented on GitHub (Feb 6, 2025):

Please reinstall the latest rc.1, the password changing issue has been resolved.

<!-- gh-comment-id:2639869648 --> @0xJacky commented on GitHub (Feb 6, 2025): Please reinstall the latest rc.1, the password changing issue has been resolved.

kerem commented 2026-02-28 11:56:38 +03:00

Author

Owner

Copy link

@soekdd commented on GitHub (Feb 6, 2025):

Check it, works! Thank you very much for you exemplary response! Greatings from Dresden/Germany.

<!-- gh-comment-id:2639992099 --> @soekdd commented on GitHub (Feb 6, 2025): Check it, works! Thank you very much for you exemplary response! Greatings from Dresden/Germany.

kerem commented 2026-02-28 11:56:38 +03:00

Author

Owner

Copy link

@0xJacky commented on GitHub (Feb 7, 2025):

Nope, the passwords are in plain text in your web service calls:

{
    "name": "soek",
    "password": "0xJacky!sTheB3st",
    "otp": "",
    "recovery_code": ""
}

Recently, we used the RSA algorithm to encrypt the payload of login/install requests, this change will be released in the next RC version. Thanks for your suggestion!

<!-- gh-comment-id:2643117471 --> @0xJacky commented on GitHub (Feb 7, 2025): > Nope, the passwords are in plain text in your web service calls: > > ``` > { > "name": "soek", > "password": "0xJacky!sTheB3st", > "otp": "", > "recovery_code": "" > } > ``` Recently, we used the RSA algorithm to encrypt the payload of login/install requests, this change will be released in the next RC version. Thanks for your suggestion!

Sign in to join this conversation.

No Branch/Tag specified

Branches Tags

dev

weblate

main

renovate/uuid-14.x

renovate/typescript-6.x

renovate/all-minor-patch

cursor/interface-conversion-error-36ec

cursor/docker-api-stat-path-27ca

cursor/nginx-ui-disk-i-o-3d99

cursor/cloudflare-dns-comments-299c

cursor/access-log-dark-mode-font-dfdc

copilot/fix-ai-chat-title-error

cursor/propfind-method-logging-33b5

cursor/docker-client-version-update-d1b4

copilot/fix-nginx-ui-api-errors

cursor/update-x-forwarded-proto-header-handling-1223

cursor/fix-nginx-ui-issue-1455-gpt-5.1-codex-high-079c

cursor/update-nginx-ui-to-vue-3-gpt-5.1-codex-high-3100

cursor/investigate-nginx-ui-issue-1446-gpt-5.1-codex-high-2be0

v1

v2.3.8

v2.3.7

v2.3.6

v2.3.5

v2.3.4

v2.3.3

v2.3.2

v2.3.1

v2.3.0

v2.2.1

v2.2.0-patch.1

v2.2.0

v2.1.17

v2.1.16

v2.1.15

v2.1.14

v2.1.13

v2.1.12

v2.1.11

v2.1.10

v2.1.9

v2.1.8

v2.1.7

v2.1.6

v2.1.5

v2.1.4-patch.1

v2.1.4

v2.1.3

v2.1.2

v2.1.1

v2.1.0-patch.1

v2.1.0

v2.1.0-rc.3

v2.1.0-rc.2

v2.1.0-rc.1

v2.1.0-beta.1

v2.0.2

v2.0.1

v2.0.0

v2.0.0-rc.8-patch.1

v2.0.0-rc.8

v2.0.0-rc.7-patch.6

v2.0.0-rc.7-patch.7

v2.0.0-rc.7-patch.8

v2.0.0-rc.7-patch.5

v2.0.0-rc.7-patch.4

v2.0.0-rc.7-patch.3

v2.0.0-rc.7-patch.2

v2.0.0-rc.7-patch.1

v2.0.0-rc.7

v2.0.0-rc.6-patch.5

v2.0.0-rc.6-patch.4

v2.0.0-rc.6-patch.3

v2.0.0-rc.6-patch.2

v2.0.0-rc.6-patch.1

v2.0.0-rc.6

v2.0.0-rc.5

v2.0.0-rc.4-patch.3

v2.0.0-rc.4-patch.2

v2.0.0-rc.4-patch.1

v2.0.0-rc.4

v2.0.0-rc.3-patch.1

v2.0.0-rc.3

v2.0.0-rc.2

v2.0.0-rc.1-patch.2

v2.0.0-rc.1-patch.1

v2.0.0-rc.1

v2.0.0-beta.42

v2.0.0-beta.41

v2.0.0-beta.40

v2.0.0-beta.39-risefront.6

v2.0.0-beta.39-risefront.5

v2.0.0-beta.39-risefront.4

v2.0.0-beta.39-risefront.3

v2.0.0-beta.39-risefront.2

v2.0.0-beta.39-risefront

v2.0.0-beta.39

v2.0.0-beta.38

v2.0.0-beta.37-patch.5

v2.0.0-beta.37-patch.3

v2.0.0-beta.37-patch.4

v2.0.0-beta.37-patch.2

v2.0.0-beta.37-patch.1

v2.0.0-beta.37

v2.0.0-beta.36

v2.0.0-beta.35

v2.0.0-beta.34

v2.0.0-beta.33

v2.0.0-beta.32-patch.1

v2.0.0-beta.32

v2.0.0-beta.31

v2.0.0-beta.30

v2.0.0-beta.29

v2.0.0-beta.28

v2.0.0-beta.27

v2.0.0-beta.26

v2.0.0-beta.25-patch.2

v2.0.0-beta.25-patch.1

v2.0.0-beta.25

v2.0.0-beta.24

v2.0.0-beta.23-patch.2

v2.0.0-beta.23-patch.1

v2.0.0-beta.23

v2.0.0-beta.22

v2.0.0-beta.21

v2.0.0-beta.20

v2.0.0-beta.19

v2.0.0-beta.18-patch.2

v2.0.0-beta.18-patch.1

v2.0.0-beta.18

v2.0.0-beta.17

v2.0.0-beta.16

v2.0.0-beta.15

v2.0.0-beta.14

v2.0.0-beta.13-patch

v2.0.0-beta.13

v2.0.0-beta.12

v2.0.0-beta.11

v2.0.0-beta.10-patch

v2.0.0-beta.10

v2.0.0-beta.9

v2.0.0-beta.8-patch

v2.0.0-beta.8

v2.0.0-beta.7

v2.0.0-beta.6-patch.2

v2.0.0-beta.6-patch

v2.0.0-beta.6

v2.0.0-beta.5-patch

v2.0.0-beta.5

v2.0.0-beta.4-patch

v2.0.0-beta.4

v2.0.0-beta.3

v2.0.0-beta.2

v2.0.0-beta.1

v1.9.9-4

v1.9.9-3

v1.9.9-2

v1.9.9

v1.9.9-1

v1.8.4-patch

v1.8.4

v1.8.3

v1.8.2

v1.8.1

v1.8.0

v1.7.9

v1.7.8

v1.7.7

v1.7.6

v1.7.5

v1.7.4

v1.7.3

v1.7.2

v1.7.1

v1.7.0-patch

v1.7.0

v1.6.8

v1.6.7

v1.6.6

v1.6.5

v1.6.3

v1.6.2

v1.6.1

v1.6.0-fix

v1.6.0

v1.5.2

v1.5.1

v1.5.0

v1.5.0-beta9

v1.5.0-beta8

v1.5.0-beta7

v1.5.0-beta6

v1.5.0-beta5

v1.5.0-beta4-fix

v1.5.0-beta4

v1.5.0-beta3

v1.5.0-beta2

v1.5.0-beta1

v1.4.2

v1.4.1

v1.4.0

v1.4.0-rc1

v1.3.3-rc1

v1.3.2

v1.3.1-fix

v1.3.1

v1.3.0

v1.3.0-rc1

v1.2.2

v1.2.1

v1.2.0

v1.2.0-rc.3

v1.2.0-rc.2

v1.2.0-rc.1

v1.2.0-alpha.4

v1.2.0-alpha.3

v1.2.0-alpha.2

v1.1.0

Labels

Clear labels   

Q/A

  

bug

  

casdoor

  

dependencies

  

docker

  

documentation

  

duplicate

  

enhancement

  

help wanted

  

invalid

  

lego

  

platform:openwrt

  

platform:windows

  

pull-request

Mirrored from GitHub Pull Request

  

question

  

wontfix

No labels

Q/A

bug

casdoor

dependencies

docker

documentation

duplicate

enhancement

help wanted

invalid

lego

platform:openwrt

platform:windows

pull-request

question

wontfix

Milestone

Clear milestone

No items

No milestone

Projects

Clear projects

No items

No project

Assignees

Clear assignees

No assignees

1 participant

Notifications

Subscribe

Due date

The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference

starred/nginx-ui#3552

No description provided.