Evergreen

open-ils.actor.verify_user_password only works with hashed passwords

Bug #2059035 reported by Jason Stephenson on 2024-03-25

This bug affects 2 people

Affects		Status	Importance	Assigned to	Milestone
	Evergreen	New	Undecided	Unassigned

Bug Description

Evergreen Version 3.7+

The comments for the open-ils.actor.verify_user_password backend function claims to work with non-hashed passwords:

        Given a barcode or username and the MD5 encoded password,
        The password can also be passed without the MD5 hashing.
        returns 1 if the password is correct. Returns 0 otherwise.

However, this is not true. If the $pass_nohash argument is given a true value, the password is treated as if it were hashed, and the password verification will fail. The following lines are responsible:

    if ($pass_nohash) {
        return $U->verify_migrated_user_password($e, $user->id, $pass_nohash);
    } else {
        return $U->verify_migrated_user_password($e, $user->id, $password, 1);
    }

Instead of reusing the $pass_nohash value in the top branch of the "if" statement, the value should be 0.

The entire if block could probably be replaced with a single line of code.

See original description

Tags:

Jason Stephenson (jstephenson) on 2024-03-25

summary:	- open-ils.actor.verify_user_password only works with hashed arguments + open-ils.actor.verify_user_password only works with hashed passwords
description:	updated

Report a bug

This report contains Public information

Everyone can see this information.

You are

Subscribing...

Edit bug mail

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.