summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authortetragon <tetragon@4979c152-3d1c-0410-bac9-87ea11338e46>2006-11-22 05:30:04 +0000
committertetragon <tetragon@4979c152-3d1c-0410-bac9-87ea11338e46>2006-11-22 05:30:04 +0000
commit009726fc8d3de1044b964195809bc6946de816b6 (patch)
treec90e3f3ca0b0eff7ecabd59ed5084411cd2adccf
parent35013e3feb3261f2d2f8c41bbe5e7052ac966ee1 (diff)
Adding check for determining that the requested user is the retreived user
git-svn-id: https://ledger-smb.svn.sourceforge.net/svnroot/ledger-smb/branches/1.2@679 4979c152-3d1c-0410-bac9-87ea11338e46
-rwxr-xr-xLedgerSMB/Session/DB.pm13
1 files changed, 8 insertions, 5 deletions
diff --git a/LedgerSMB/Session/DB.pm b/LedgerSMB/Session/DB.pm
index f69418cd..ecd87814 100755
--- a/LedgerSMB/Session/DB.pm
+++ b/LedgerSMB/Session/DB.pm
@@ -219,16 +219,19 @@ sub password_check {
# use the central database handle
my $dbh = ${LedgerSMB::Sysconfig::GLOBALDBH};
- my $fetchPassword = $dbh->prepare("SELECT uc.password, uc.crypted_password
+ my $fetchPassword = $dbh->prepare("SELECT u.username, uc.password, uc.crypted_password
FROM users as u, users_conf as uc
WHERE u.username = ?
AND u.id = uc.id;");
$fetchPassword->execute($username) || $form->dberror(__FILE__.':'.__LINE__.': Fetching password : ');
- my ($md5Password, $cryptPassword) = $fetchPassword->fetchrow_array;
+ my ($dbusername, $md5Password, $cryptPassword) = $fetchPassword->fetchrow_array;
- if ($cryptPassword){
+ if ($dbusername ne $username) {
+ # User data retrieved from db not for the requested user
+ return 0;
+ } elsif ($cryptPassword){
#First time login from old system, check crypted password
if ((crypt $password, substr($username, 0, 2)) eq $cryptPassword) {
@@ -250,12 +253,12 @@ sub password_check {
return 0; #password failed
}
- }elsif ($md5Password){
+ } elsif ($md5Password){
if ($md5Password ne (Digest::MD5::md5_hex $password) ) {
return 0;
}
- else{
+ else {
return 1;
}