[open-ils-commits] [GIT] Evergreen ILS branch rel_2_10 updated. 9f7a5940166f3c94f7d6bd457da521ebfb46a7db
Evergreen Git
git at git.evergreen-ils.org
Mon May 9 16:43:16 EDT 2016
This is an automated email from the git hooks/post-receive script. It was
generated because a ref change was pushed to the repository containing
the project "Evergreen ILS".
The branch, rel_2_10 has been updated
via 9f7a5940166f3c94f7d6bd457da521ebfb46a7db (commit)
via 8069cc6d29077892f4375f56b3a88a0531922a8d (commit)
from 7f5121240e3ef7fa7424c6388387182175e20edb (commit)
Those revisions listed above that are new to this repository have
not appeared on any other notification email; so we list those
revisions in full, below.
- Log -----------------------------------------------------------------
commit 9f7a5940166f3c94f7d6bd457da521ebfb46a7db
Author: Galen Charlton <gmc at esilibrary.com>
Date: Fri May 6 21:40:12 2016 -0400
LP#1579225: fix handling of passwords in patron registration
This patch improves how the new password hashing is invoked
by open-ils.actor.patron.update; in particular, it fixes
a problem whereby newly registered patrons could not
log in. It also fixes other issues:
- actor.usr.passwd would be set to an MD5 of the password
for new users, vitiating the strong hashes in actor.passwd
- certain types of updates via patron registration, such as
adding or deleting addresses, could result in the patron's
password getting doubly-hashed, thereby locking them out
of their account.
To test
-------
[1] Register a new patron; verify that they can log in.
[2] Edit an existing patron and change their password; verify
that they can log in.
[3] Edit an existing patron but do NOT change their password;
verify that they can still log in.
[4] Inspect the actor.usr rows for these patrons and verify
that actor.usr.passwd is set to the value MD5(''), not
the MD5 of their password.
Signed-off-by: Galen Charlton <gmc at esilibrary.com>
Signed-off-by: Dan Wells <dbw2 at calvin.edu>
Signed-off-by: Mike Rylander <mrylander at gmail.com>
Signed-off-by: Kathy Lussier <klussier at masslnc.org>
Signed-off-by: Galen Charlton <gmc at esilibrary.com>
diff --git a/Open-ILS/src/perlmods/lib/OpenILS/Application/Actor.pm b/Open-ILS/src/perlmods/lib/OpenILS/Application/Actor.pm
index 1e0593d..309dd3d 100644
--- a/Open-ILS/src/perlmods/lib/OpenILS/Application/Actor.pm
+++ b/Open-ILS/src/perlmods/lib/OpenILS/Application/Actor.pm
@@ -428,6 +428,13 @@ sub update_patron {
$barred_hook = $U->is_true($new_patron->barred) ?
'au.barred' : 'au.unbarred';
}
+
+ # update the password by itself to avoid the password protection magic
+ if ($patron->passwd && $patron->passwd ne $old_patron->passwd) {
+ modify_migrated_user_password($e, $patron->id, $patron->passwd);
+ $new_patron->passwd(''); # subsequent update will set
+ # actor.usr.passwd to MD5('')
+ }
}
( $new_patron, $evt ) = _add_update_addresses($e, $patron, $new_patron);
@@ -580,7 +587,12 @@ sub _add_patron {
$logger->info("Creating new user in the DB with username: ".$patron->usrname());
+ # do a dance to get the password hashed securely
+ my $saved_password = $patron->passwd;
+ $patron->passwd('');
$e->create_actor_user($patron) or return $e->die_event;
+ modify_migrated_user_password($e, $patron->id, $saved_password);
+
my $id = $patron->id; # added by CStoreEditor
$logger->info("Successfully created new user [$id] in DB");
@@ -651,12 +663,6 @@ sub _update_patron {
unless $e->allowed('UPDATE_USER', $patron->home_ou);
}
- # update the password by itself to avoid the password protection magic
- if( $patron->passwd ) {
- modify_migrated_user_password($e, $patron->id, $patron->passwd);
- $patron->clear_passwd;
- }
-
if(!$patron->ident_type) {
$patron->clear_ident_type;
$patron->clear_ident_value;
commit 8069cc6d29077892f4375f56b3a88a0531922a8d
Author: Galen Charlton <gmc at esilibrary.com>
Date: Mon May 9 16:40:52 2016 -0400
LP#1579225: add live_t regression test
Signed-off-by: Galen Charlton <gmc at esilibrary.com>
diff --git a/Open-ILS/src/perlmods/live_t/17-lp1579225_new_patron_passwords.t b/Open-ILS/src/perlmods/live_t/17-lp1579225_new_patron_passwords.t
new file mode 100644
index 0000000..72ca889
--- /dev/null
+++ b/Open-ILS/src/perlmods/live_t/17-lp1579225_new_patron_passwords.t
@@ -0,0 +1,64 @@
+use strict;
+use warnings;
+
+use Test::More tests => 3;
+
+use OpenILS::Utils::TestUtils;
+use OpenILS::Utils::Fieldmapper;
+our $U = "OpenILS::Application::AppUtils";
+
+my $script = OpenILS::Utils::TestUtils->new();
+$script->bootstrap();
+
+$script->authenticate({
+ username => 'admin',
+ password => 'demo123',
+ type => 'staff'
+});
+
+my $authtoken = $script->authtoken;
+ok($authtoken, 'was able to authenticate');
+
+my $new_user = Fieldmapper::actor::user->new();
+my $new_card = Fieldmapper::actor::card->new();
+
+$new_card->barcode("felinity_$$");
+$new_card->id(-1); # virtual ID
+$new_card->usr(undef);
+$new_card->isnew(1);
+
+$new_user->cards([ $new_card ]);
+$new_user->card($new_card);
+$new_user->usrname("felinity_$$");
+$new_user->passwd('catsrule');
+$new_user->family_name('Doe');
+$new_user->first_given_name('Jane');
+$new_user->profile(2);
+$new_user->home_ou(4);
+$new_user->ident_type(2);
+$new_user->isnew(1);
+
+my $resp = $U->simplereq(
+ 'open-ils.actor',
+ 'open-ils.actor.patron.update',
+ $authtoken,
+ $new_user
+);
+
+isa_ok($resp, 'Fieldmapper::actor::user', 'new patron');
+
+$script->authenticate({
+ username => "felinity_$$",
+ password => 'catsrule',
+ type => 'opac',
+});
+my $opac_authtoken = $script->authtoken;
+ok($opac_authtoken, 'was able to authenticate using new patron');
+
+# clean up
+$U->simplereq(
+ 'open-ils.actor',
+ 'open-ils.actor.user.delete',
+ $authtoken,
+ $resp->id()
+);
-----------------------------------------------------------------------
Summary of changes:
.../src/perlmods/lib/OpenILS/Application/Actor.pm | 18 ++++--
.../live_t/17-lp1579225_new_patron_passwords.t | 64 ++++++++++++++++++++
2 files changed, 76 insertions(+), 6 deletions(-)
create mode 100644 Open-ILS/src/perlmods/live_t/17-lp1579225_new_patron_passwords.t
hooks/post-receive
--
Evergreen ILS
More information about the open-ils-commits
mailing list