https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=41442
Bug ID: 41442
Summary: check_api_auth can fail to authenticate service user
if userid is not same as cardnumber
Initiative type: ---
Sponsorship ---
status:
Product: Koha
Version: unspecified
Hardware: All
OS: All
Status: NEW
Severity: minor
Priority: P5 - low
Component: Architecture, internals, and plumbing
Assignee: [email protected]
Reporter: [email protected]
QA Contact: [email protected]
If check_api_auth() ends up doing internal authentication of a service user
whose userid is not the same as its cardnumber, the password can get
successfully validated but the overall authentication can fail.
This is because, like other authentication pathways, it's possible to pass a
cardnumber to identify the user to check_api_auth() and have checkpw()
successful validate the password. However, after checkpw() is called, the
authentication must pass haspermission(), which _requires_ that it always be
passed the userid.
Other authentication pathways will result in $userid getting set correctly
before it's passed to haspermission(), but check_api_auth() doesn't currently
do that.
One way that this can manifest is that if you have set up a service user for
the OCLC Connexion importer whose cardnumber is not the same as the userid, the
importer's attempts to authenticate itself to Koha can subtly fail.
--
You are receiving this mail because:
You are watching all bug changes.
You are the assignee for the bug.
_______________________________________________
Koha-bugs mailing list
[email protected]
https://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs
website : http://www.koha-community.org/
git : http://git.koha-community.org/
bugs : http://bugs.koha-community.org/
