[Koha-bugs] [Bug 21997] SIP patron information requests can lock patron out of account
bugzilla-daemon at bugs.koha-community.org
bugzilla-daemon at bugs.koha-community.org
Wed Feb 20 15:14:20 CET 2019
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=21997
--- Comment #10 from Martin Renvoize <martin.renvoize at ptfs-europe.com> ---
Created attachment 85361
-->
https://bugs.koha-community.org/bugzilla3/attachment.cgi?id=85361&action=edit
Bug 21997: SIP patron information requests can lock patron out of account
Many SIP services send an empty password field (AD). Even if
allow_empty_passwords is enabled for the given SIP account, this empty password
is run though Koha's password checker which increments the number of login
attempts for a patron. Thus repeated patron information requests can lock a
patron out! Empty password fields in SIP should not call for a password check
if allow_empty_passwords is enabled.
Test Plan:
1) Enable a patron password attempt with a limit of 3
2) Send 4 patron information requests with an empty AD field
3) Note the patron's account is now locked
4) Apply this patch
5) Repeat step 2 with a different patron
6) Note the patron's account does not get locked!
Signed-off-by: Charles Farmer <charles.farmer at inLibro.com>
Signed-off-by: Martin Renvoize <martin.renvoize at ptfs-europe.com>
--
You are receiving this mail because:
You are watching all bug changes.
More information about the Koha-bugs
mailing list