From: Lebbeous Fogle-Weekley Date: Mon, 11 Jun 2012 18:16:34 +0000 (-0400) Subject: Security fix: Prevent login by deleted and barred users X-Git-Url: https://old-git.evergreen-ils.org/?a=commitdiff_plain;h=300dc300beb72524f79cbf6216933588c7d87c87;p=evergreen%2Fmasslnc.git Security fix: Prevent login by deleted and barred users An existing comment in the code suggested that we thought we were already keeping barred users out. LP #1010671 brings up that deleted users were not being kept out. Signed-off-by: Lebbeous Fogle-Weekley Signed-off-by: Mike Rylander --- diff --git a/Open-ILS/src/c-apps/oils_auth.c b/Open-ILS/src/c-apps/oils_auth.c index 121e5dc9e9..f19015ca8f 100644 --- a/Open-ILS/src/c-apps/oils_auth.c +++ b/Open-ILS/src/c-apps/oils_auth.c @@ -642,7 +642,20 @@ int oilsAuthComplete( osrfMethodContext* ctx ) { } } - if(!userObj) { + int barred = 0, deleted = 0; + char *barred_str, *deleted_str; + + if(userObj) { + barred_str = oilsFMGetString( userObj, "barred" ); + barred = oilsUtilsIsDBTrue( barred_str ); + free( barred_str ); + + deleted_str = oilsFMGetString( userObj, "deleted" ); + deleted = oilsUtilsIsDBTrue( deleted_str ); + free( deleted_str ); + } + + if(!userObj || barred || deleted) { response = oilsNewEvent( OSRF_LOG_MARK, OILS_EVENT_AUTH_FAILED ); osrfLogInfo(OSRF_LOG_MARK, "failed login: username=%s, barcode=%s, workstation=%s", uname, (barcode ? barcode : "(none)"), ws ); @@ -651,7 +664,8 @@ int oilsAuthComplete( osrfMethodContext* ctx ) { return 0; // No such user } - // Such a user exists. Now see if he or she has the right credentials. + // Such a user exists and isn't barred or deleted. + // Now see if he or she has the right credentials. int passOK = -1; if(uname) passOK = oilsAuthVerifyPassword( ctx, userObj, uname, password );