[Bug 41442] New: check_api_auth can fail to authenticate service user if userid is not same as cardnumber
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=41442 Bug ID: 41442 Summary: check_api_auth can fail to authenticate service user if userid is not same as cardnumber Initiative type: --- Sponsorship --- status: Product: Koha Version: unspecified Hardware: All OS: All Status: NEW Severity: minor Priority: P5 - low Component: Architecture, internals, and plumbing Assignee: koha-bugs@lists.koha-community.org Reporter: gmcharlt@gmail.com QA Contact: testopia@bugs.koha-community.org If check_api_auth() ends up doing internal authentication of a service user whose userid is not the same as its cardnumber, the password can get successfully validated but the overall authentication can fail. This is because, like other authentication pathways, it's possible to pass a cardnumber to identify the user to check_api_auth() and have checkpw() successful validate the password. However, after checkpw() is called, the authentication must pass haspermission(), which _requires_ that it always be passed the userid. Other authentication pathways will result in $userid getting set correctly before it's passed to haspermission(), but check_api_auth() doesn't currently do that. One way that this can manifest is that if you have set up a service user for the OCLC Connexion importer whose cardnumber is not the same as the userid, the importer's attempts to authenticate itself to Koha can subtly fail. -- You are receiving this mail because: You are watching all bug changes. You are the assignee for the bug.
participants (1)
-
bugzilla-daemon@bugs.koha-community.org