Adding check for determining that the requested user is the retreived user

git-svn-id: https://ledger-smb.svn.sourceforge.net/svnroot/ledger-smb/branches/1.2@679 4979c152-3d1c-0410-bac9-87ea11338e46

1 files changed, 8 insertions, 5 deletions

diff --git a/LedgerSMB/Session/DB.pm b/LedgerSMB/Session/DB.pm
index f69418cd..ecd87814 100755
--- a/LedgerSMB/Session/DB.pm
+++ b/LedgerSMB/Session/DB.pm
@@ -219,16 +219,19 @@ sub password_check {
 	# use the central database handle
 	my $dbh = ${LedgerSMB::Sysconfig::GLOBALDBH};
 
-	my $fetchPassword = $dbh->prepare("SELECT uc.password, uc.crypted_password
+	my $fetchPassword = $dbh->prepare("SELECT u.username, uc.password, uc.crypted_password
 										 FROM users as u, users_conf as uc
 										WHERE u.username = ?
 										  AND u.id = uc.id;");
 
 	$fetchPassword->execute($username) || $form->dberror(__FILE__.':'.__LINE__.': Fetching password : ');
 
-	my ($md5Password, $cryptPassword) = $fetchPassword->fetchrow_array;
+	my ($dbusername, $md5Password, $cryptPassword) = $fetchPassword->fetchrow_array;
 
-	if ($cryptPassword){
+	if ($dbusername ne $username) {
+		# User data retrieved from db not for the requested user
+		return 0;
+	} elsif ($cryptPassword){
 		#First time login from old system, check crypted password
 
 		if ((crypt $password, substr($username, 0, 2)) eq $cryptPassword) {	
@@ -250,12 +253,12 @@ sub password_check {
 			return 0; #password failed
 		}
 
-	}elsif ($md5Password){
+	} elsif ($md5Password){
 
 		if ($md5Password ne (Digest::MD5::md5_hex $password) ) {
 			return 0;
 		}
-		else{
+		else {
 			return 1;
 		}