Security fix: Prevent login by deleted and barred users

An existing comment in the code suggested that we thought we were already
keeping barred users out.  LP #1010671 brings up that deleted users were
not being kept out.

Signed-off-by: Lebbeous Fogle-Weekley <lebbeous@esilibrary.com>
Signed-off-by: Mike Rylander <mrylander@gmail.com>

diff --git a/Open-ILS/src/c-apps/oils_auth.c b/Open-ILS/src/c-apps/oils_auth.c
index 121e5dc..f19015c 100644 (file)
--- a/Open-ILS/src/c-apps/oils_auth.c
+++ b/Open-ILS/src/c-apps/oils_auth.c
@@ -642,7 +642,20 @@ int oilsAuthComplete( osrfMethodContext* ctx ) {
                }
        }
 
-       if(!userObj) {
+       int     barred = 0, deleted = 0;
+       char   *barred_str, *deleted_str;
+
+       if(userObj) {
+               barred_str = oilsFMGetString( userObj, "barred" );
+               barred = oilsUtilsIsDBTrue( barred_str );
+               free( barred_str );
+
+               deleted_str = oilsFMGetString( userObj, "deleted" );
+               deleted = oilsUtilsIsDBTrue( deleted_str );
+               free( deleted_str );
+       }
+
+       if(!userObj || barred || deleted) {
                response = oilsNewEvent( OSRF_LOG_MARK, OILS_EVENT_AUTH_FAILED );
                osrfLogInfo(OSRF_LOG_MARK,  "failed login: username=%s, barcode=%s, workstation=%s",
                                uname, (barcode ? barcode : "(none)"), ws );
@@ -651,7 +664,8 @@ int oilsAuthComplete( osrfMethodContext* ctx ) {
                return 0;           // No such user
        }
 
-       // Such a user exists.  Now see if he or she has the right credentials.
+       // Such a user exists and isn't barred or deleted.
+       // Now see if he or she has the right credentials.
        int passOK = -1;
        if(uname)
                passOK = oilsAuthVerifyPassword( ctx, userObj, uname, password );