From e49d2ed40283c2a723aa42649e9c168ad9d41972 Mon Sep 17 00:00:00 2001 From: phasefx Date: Mon, 22 Dec 2008 21:04:52 +0000 Subject: [PATCH] if both username and barcode are provided, make sure they refer to the same user git-svn-id: svn://svn.open-ils.org/ILS/trunk@11656 dcc99617-32d9-48b4-a31d-7c20da2025e4 --- Open-ILS/src/perlmods/OpenILS/Application/Actor.pm | 13 ++++++++++--- 1 file changed, 10 insertions(+), 3 deletions(-) diff --git a/Open-ILS/src/perlmods/OpenILS/Application/Actor.pm b/Open-ILS/src/perlmods/OpenILS/Application/Actor.pm index 41d1b39f15..0c01d2d8bc 100644 --- a/Open-ILS/src/perlmods/OpenILS/Application/Actor.pm +++ b/Open-ILS/src/perlmods/OpenILS/Application/Actor.pm @@ -2989,14 +2989,21 @@ sub verify_user_password { my $e = new_editor(authtoken => $auth); return $e->die_event unless $e->checkauth; my $user; + my $user_by_barcode; + my $user_by_username; if($barcode) { my $card = $e->search_actor_card([ {barcode => $barcode}, {flesh => 1, flesh_fields => {ac => ['usr']}}])->[0] or return 0; - $user = $card->usr; - } else { - $user = $e->search_actor_user({usrname => $username})->[0] or return 0; + $user_by_barcode = $card->usr; + $user = $user_by_barcode; + } + if ($username) { + $user_by_username = $e->search_actor_user({usrname => $username})->[0] or return 0; + $user = $user_by_username; } + return 0 if (!$user); + return 0 if ($user_by_username && $user_by_barcode && $user_by_username->id != $user_by_barcode->id); return $e->event unless $e->allowed('VIEW_USER', $user->home_ou); return 1 if $user->passwd eq $password; return 0; -- 2.43.2