From 300dc300beb72524f79cbf6216933588c7d87c87 Mon Sep 17 00:00:00 2001 From: Lebbeous Fogle-Weekley Date: Mon, 11 Jun 2012 14:16:34 -0400 Subject: [PATCH] Security fix: Prevent login by deleted and barred users An existing comment in the code suggested that we thought we were already keeping barred users out. LP #1010671 brings up that deleted users were not being kept out. Signed-off-by: Lebbeous Fogle-Weekley Signed-off-by: Mike Rylander --- Open-ILS/src/c-apps/oils_auth.c | 18 ++++++++++++++++-- 1 file changed, 16 insertions(+), 2 deletions(-) diff --git a/Open-ILS/src/c-apps/oils_auth.c b/Open-ILS/src/c-apps/oils_auth.c index 121e5dc9e9..f19015ca8f 100644 --- a/Open-ILS/src/c-apps/oils_auth.c +++ b/Open-ILS/src/c-apps/oils_auth.c @@ -642,7 +642,20 @@ int oilsAuthComplete( osrfMethodContext* ctx ) { } } - if(!userObj) { + int barred = 0, deleted = 0; + char *barred_str, *deleted_str; + + if(userObj) { + barred_str = oilsFMGetString( userObj, "barred" ); + barred = oilsUtilsIsDBTrue( barred_str ); + free( barred_str ); + + deleted_str = oilsFMGetString( userObj, "deleted" ); + deleted = oilsUtilsIsDBTrue( deleted_str ); + free( deleted_str ); + } + + if(!userObj || barred || deleted) { response = oilsNewEvent( OSRF_LOG_MARK, OILS_EVENT_AUTH_FAILED ); osrfLogInfo(OSRF_LOG_MARK, "failed login: username=%s, barcode=%s, workstation=%s", uname, (barcode ? barcode : "(none)"), ws ); @@ -651,7 +664,8 @@ int oilsAuthComplete( osrfMethodContext* ctx ) { return 0; // No such user } - // Such a user exists. Now see if he or she has the right credentials. + // Such a user exists and isn't barred or deleted. + // Now see if he or she has the right credentials. int passOK = -1; if(uname) passOK = oilsAuthVerifyPassword( ctx, userObj, uname, password ); -- 2.43.2