Evergreen

  1. Bug #2059035
  2. Comment #0

Comment 0 for bug 2059035

Revision history for this message
Jason Stephenson (jstephenson) wrote : open-ils.actor.verify_user_password only works with hashed arguments

Evergreen Version 3.7+

The comments for the open-ils.actor.verify_user_password backend function claims to work with non-hashed passwords:

        Given a barcode or username and the MD5 encoded password,
        The password can also be passed without the MD5 hashing.
        returns 1 if the password is correct. Returns 0 otherwise.

However, this is not true. If the $pass_nohash argument is given a true value, the password is treated as if it were hashed, and the password verification will fail. The following lines are the responsible:

    if ($pass_nohash) {
        return $U->verify_migrated_user_password($e, $user->id, $pass_nohash);
    } else {
        return $U->verify_migrated_user_password($e, $user->id, $password, 1);
    }

Instead using the $pass_nohash value in the top "if" statement, the value should be 0.

The entire if block could probably be replaced with a single line of code.