open-ils.actor.verify_user_password only works with hashed passwords
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
Evergreen |
New
|
Undecided
|
Unassigned |
Bug Description
Evergreen Version 3.7+
The comments for the open-ils.
Given a barcode or username and the MD5 encoded password,
The password can also be passed without the MD5 hashing.
returns 1 if the password is correct. Returns 0 otherwise.
However, this is not true. If the $pass_nohash argument is given a true value, the password is treated as if it were hashed, and the password verification will fail. The following lines are responsible:
if ($pass_nohash) {
return $U->verify_
} else {
return $U->verify_
}
Instead of reusing the $pass_nohash value in the top branch of the "if" statement, the value should be 0.
The entire if block could probably be replaced with a single line of code.
summary: |
- open-ils.actor.verify_user_password only works with hashed arguments + open-ils.actor.verify_user_password only works with hashed passwords |
description: | updated |