Bug 12226 - A user with the database username/userid can access staff with full permissions
This patch implements 2 suggestions on comment #3 - Prevents creation of a new user with same userid of database user - When checking password, if userid matches database user, only check against pass on config file To test: 1. Create a new user with same login as database user any password different from real db user 2. Check that you can login on staff using this user/pass and you are superlibrarian 3. Apply the patch 4. Login again using new pass, it must fail 5. Login again using db pass, you are now superuser, but system does not warn you :( No problem, that's for having one borrower with that login 6. Delete user with same login as db user 7. Try to create one again as in 1, system must return an error of duplicate login! 8. Check for no regressions on user/pass authentication Resubmited, has an error Signed-off-by: Chris Cormack <chrisc@catalyst.net.nz> Signed-off-by: Katrin Fischer <Katrin.Fischer.83@web.de> Passes all tests and QA script. This works nicely and as described. Also editing the former 'superuser' will force you to change the userid in order to save any other change. Signed-off-by: Tomas Cohen Arazi <tomascohen@gmail.com>
This commit is contained in:
parent
58766535b4
commit
cb878c35a1
2 changed files with 13 additions and 9 deletions
19
C4/Auth.pm
19
C4/Auth.pm
|
@ -1560,6 +1560,17 @@ sub checkpw {
|
|||
sub checkpw_internal {
|
||||
my ( $dbh, $userid, $password ) = @_;
|
||||
|
||||
if ( $userid && $userid eq C4::Context->config('user') ) {
|
||||
if ( $password && $password eq C4::Context->config('pass') ) {
|
||||
# Koha superuser account
|
||||
# C4::Context->set_userenv(0,0,C4::Context->config('user'),C4::Context->config('user'),C4::Context->config('user'),"",1);
|
||||
return 2;
|
||||
}
|
||||
else {
|
||||
return 0;
|
||||
}
|
||||
}
|
||||
|
||||
my $sth =
|
||||
$dbh->prepare(
|
||||
"select password,cardnumber,borrowernumber,userid,firstname,surname,branchcode,flags from borrowers where userid=?"
|
||||
|
@ -1594,14 +1605,6 @@ sub checkpw_internal {
|
|||
return 1, $cardnumber, $userid;
|
||||
}
|
||||
}
|
||||
if ( $userid && $userid eq C4::Context->config('user')
|
||||
&& "$password" eq C4::Context->config('pass') )
|
||||
{
|
||||
|
||||
# Koha superuser account
|
||||
# C4::Context->set_userenv(0,0,C4::Context->config('user'),C4::Context->config('user'),C4::Context->config('user'),"",1);
|
||||
return 2;
|
||||
}
|
||||
if ( $userid && $userid eq 'demo'
|
||||
&& "$password" eq 'demo'
|
||||
&& C4::Context->config('demo') )
|
||||
|
|
|
@ -879,7 +879,8 @@ sub Check_Userid {
|
|||
$dbh->prepare(
|
||||
"SELECT * FROM borrowers WHERE userid=? AND borrowernumber != ?");
|
||||
$sth->execute( $uid, $member );
|
||||
if ( ( $uid ne '' ) && ( my $row = $sth->fetchrow_hashref ) ) {
|
||||
if ( (( $uid ne '' ) && ( my $row = $sth->fetchrow_hashref )) or
|
||||
(( $uid ne '' ) && ( $uid eq C4::Context->config('user') )) ) {
|
||||
return 0;
|
||||
}
|
||||
else {
|
||||
|
|
Loading…
Reference in a new issue