[ic] [interchange] always use default encryption method for global AdminUser (problem found by Rok Ružič)
Stefan Hornburg (Racke)
racke at linuxia.de
Sun Mar 7 07:50:55 UTC 2010
Stefan Hornburg wrote:
> commit 5919702a7e69de6b763d3bc48a5293d6a31c6c90
> Author: Stefan Hornburg (Racke) <racke at linuxia.de>
> Date: Sat Mar 6 11:45:33 2010 +0100
>
> always use default encryption method for global AdminUser (problem found by Rok RužiÄ)
>
> lib/Vend/UserDB.pm | 3 +++
> 1 files changed, 3 insertions(+), 0 deletions(-)
> ---
> diff --git a/lib/Vend/UserDB.pm b/lib/Vend/UserDB.pm
> index c7e458a..a0a9953 100644
> --- a/lib/Vend/UserDB.pm
> +++ b/lib/Vend/UserDB.pm
> @@ -1397,7 +1397,10 @@ sub login {
> $test = $self->{PASSWORD};
> }
> else {
> + my $sub = $self->{ENCSUB};
> + $self->{ENCSUB} = $enc_subs{default};
> $test = $self->do_crypt($self->{PASSWORD}, $adminpass);
> + $self->{ENCSUB} = $sub;
> }
> if ($test eq $adminpass) {
> $user_data = {};
This fixes the issue with password verification for the admin user, but the current code regarding
AdminUser is still seriously flawed as it shouldn't look at catalog configuration at all.
In my case it authenticates, but fails due to trying foreign lookup or improper timestamp logging.
So I see two possiblities to get around this:
1. deal with AdminUser in a separate subroutine and immediately return from UserDB::login if
this subroutine is successful
2. drop AdminUser completely
Please comment.
Regards
Racke
--
LinuXia Systems => http://www.linuxia.de/
Expert Interchange Consulting and System Administration
ICDEVGROUP => http://www.icdevgroup.org/
Interchange Development Team
More information about the interchange-users
mailing list