Fix #534

cps/ub.py

@@ -649,6 +649,10 @@ def migrate_Database():
         conn.execute("ALTER TABLE Settings ADD column `config_certfile` String DEFAULT ''")
         conn.execute("ALTER TABLE Settings ADD column `config_keyfile` String DEFAULT ''")
         session.commit()
+    # Remove login capability of user Guest
+    conn = engine.connect()
+    conn.execute("UPDATE user SET password='' where nickname = 'Guest' and password !=''")
+    session.commit()
 
 
 def clean_database():
@@ -691,10 +695,10 @@ def get_mail_settings():
 # Generate user Guest (translated text), as anoymous user, no rights
 def create_anonymous_user():
     user = User()
-    user.nickname = _("Guest")
+    user.nickname = "Guest"
     user.email = 'no@email'
     user.role = ROLE_ANONYMOUS
-    user.password = generate_password_hash('1')
+    user.password = ''
 
     session.add(user)
     try:

cps/web.py

@@ -2049,10 +2049,8 @@ def login():
     if request.method == "POST":
         form = request.form.to_dict()
         user = ub.session.query(ub.User).filter(func.lower(ub.User.nickname) == form['username'].strip().lower()).first()
-
-        if user and check_password_hash(user.password, form['password']):
+        if user and check_password_hash(user.password, form['password']) and user.nickname is not "Guest":
             login_user(user, remember=True)
-
             flash(_(u"you are now logged in as: '%(nickname)s'", nickname=user.nickname), category="success")
             return redirect_back(url_for("index"))
         else: