fix masterkey auth

controllers/user.go

@@ -710,6 +710,10 @@ func createUser(w http.ResponseWriter, r *http.Request) {
 	if !servercfg.IsPro {
 		user.PlatformRoleID = models.AdminRole
 	}
+	if user.UserName == logic.MasterUser {
+		logic.ReturnErrorResponse(w, r, logic.FormatError(errors.New("username not allowed"), "badrequest"))
+		return
+	}
 
 	if user.PlatformRoleID == "" {
 		logic.ReturnErrorResponse(w, r, logic.FormatError(errors.New("platform role is missing"), "badrequest"))

logic/auth.go

@@ -282,6 +282,10 @@ func UpdateUser(userchange, user *models.User) (*models.User, error) {
 		if _, err := GetUser(userchange.UserName); err == nil {
 			return &models.User{}, errors.New("username exists already")
 		}
+		if userchange.UserName == MasterUser {
+			return &models.User{}, errors.New("username not allowed")
+		}
+
 		user.UserName = userchange.UserName
 	}
 	if userchange.Password != "" {

logic/security.go

@@ -33,17 +33,18 @@ func SecurityCheck(reqAdmin bool, next http.Handler) http.HandlerFunc {
 			ReturnErrorResponse(w, r, FormatError(err, "unauthorized"))
 			return
 		}
+		if username != MasterUser {
+			user, err := GetUser(username)
+			if err != nil {
+				ReturnErrorResponse(w, r, FormatError(err, "unauthorized"))
+				return
+			}
 
-		user, err := GetUser(username)
-		if err != nil {
-			ReturnErrorResponse(w, r, FormatError(err, "unauthorized"))
-			return
-		}
-
-		if user.AccountDisabled {
-			err = errors.New("user account disabled")
-			ReturnErrorResponse(w, r, FormatError(err, "unauthorized"))
-			return
+			if user.AccountDisabled {
+				err = errors.New("user account disabled")
+				ReturnErrorResponse(w, r, FormatError(err, "unauthorized"))
+				return
+			}
 		}
 
 		// detect masteradmin