[open-ils-commits] [GIT] Evergreen ILS branch master updated. 9289743a74491deb7f4b960340eda2ff14ede493
Evergreen Git
git at git.evergreen-ils.org
Mon May 9 16:43:15 EDT 2016
This is an automated email from the git hooks/post-receive script. It was
generated because a ref change was pushed to the repository containing
the project "Evergreen ILS".
The branch, master has been updated
via 9289743a74491deb7f4b960340eda2ff14ede493 (commit)
via 82c0202c1e3ba3066fd831fef6b447de11c5c15d (commit)
from 2cf65ef923145aade9a6ced615dfd29d4d6216b3 (commit)
Those revisions listed above that are new to this repository have
not appeared on any other notification email; so we list those
revisions in full, below.
- Log -----------------------------------------------------------------
commit 9289743a74491deb7f4b960340eda2ff14ede493
Author: Galen Charlton <gmc at esilibrary.com>
Date: Fri May 6 21:40:12 2016 -0400
LP#1579225: fix handling of passwords in patron registration
This patch improves how the new password hashing is invoked
by open-ils.actor.patron.update; in particular, it fixes
a problem whereby newly registered patrons could not
log in. It also fixes other issues:
- actor.usr.passwd would be set to an MD5 of the password
for new users, vitiating the strong hashes in actor.passwd
- certain types of updates via patron registration, such as
adding or deleting addresses, could result in the patron's
password getting doubly-hashed, thereby locking them out
of their account.
To test
-------
[1] Register a new patron; verify that they can log in.
[2] Edit an existing patron and change their password; verify
that they can log in.
[3] Edit an existing patron but do NOT change their password;
verify that they can still log in.
[4] Inspect the actor.usr rows for these patrons and verify
that actor.usr.passwd is set to the value MD5(''), not
the MD5 of their password.
Signed-off-by: Galen Charlton <gmc at esilibrary.com>
Signed-off-by: Dan Wells <dbw2 at calvin.edu>
Signed-off-by: Mike Rylander <mrylander at gmail.com>
Signed-off-by: Kathy Lussier <klussier at masslnc.org>
Signed-off-by: Galen Charlton <gmc at esilibrary.com>
diff --git a/Open-ILS/src/perlmods/lib/OpenILS/Application/Actor.pm b/Open-ILS/src/perlmods/lib/OpenILS/Application/Actor.pm
index 1e0593d..309dd3d 100644
--- a/Open-ILS/src/perlmods/lib/OpenILS/Application/Actor.pm
+++ b/Open-ILS/src/perlmods/lib/OpenILS/Application/Actor.pm
@@ -428,6 +428,13 @@ sub update_patron {
$barred_hook = $U->is_true($new_patron->barred) ?
'au.barred' : 'au.unbarred';
}
+
+ # update the password by itself to avoid the password protection magic
+ if ($patron->passwd && $patron->passwd ne $old_patron->passwd) {
+ modify_migrated_user_password($e, $patron->id, $patron->passwd);
+ $new_patron->passwd(''); # subsequent update will set
+ # actor.usr.passwd to MD5('')
+ }
}
( $new_patron, $evt ) = _add_update_addresses($e, $patron, $new_patron);
@@ -580,7 +587,12 @@ sub _add_patron {
$logger->info("Creating new user in the DB with username: ".$patron->usrname());
+ # do a dance to get the password hashed securely
+ my $saved_password = $patron->passwd;
+ $patron->passwd('');
$e->create_actor_user($patron) or return $e->die_event;
+ modify_migrated_user_password($e, $patron->id, $saved_password);
+
my $id = $patron->id; # added by CStoreEditor
$logger->info("Successfully created new user [$id] in DB");
@@ -651,12 +663,6 @@ sub _update_patron {
unless $e->allowed('UPDATE_USER', $patron->home_ou);
}
- # update the password by itself to avoid the password protection magic
- if( $patron->passwd ) {
- modify_migrated_user_password($e, $patron->id, $patron->passwd);
- $patron->clear_passwd;
- }
-
if(!$patron->ident_type) {
$patron->clear_ident_type;
$patron->clear_ident_value;
commit 82c0202c1e3ba3066fd831fef6b447de11c5c15d
Author: Galen Charlton <gmc at esilibrary.com>
Date: Mon May 9 16:40:52 2016 -0400
LP#1579225: add live_t regression test
Signed-off-by: Galen Charlton <gmc at esilibrary.com>
diff --git a/Open-ILS/src/perlmods/live_t/17-lp1579225_new_patron_passwords.t b/Open-ILS/src/perlmods/live_t/17-lp1579225_new_patron_passwords.t
new file mode 100644
index 0000000..72ca889
--- /dev/null
+++ b/Open-ILS/src/perlmods/live_t/17-lp1579225_new_patron_passwords.t
@@ -0,0 +1,64 @@
+use strict;
+use warnings;
+
+use Test::More tests => 3;
+
+use OpenILS::Utils::TestUtils;
+use OpenILS::Utils::Fieldmapper;
+our $U = "OpenILS::Application::AppUtils";
+
+my $script = OpenILS::Utils::TestUtils->new();
+$script->bootstrap();
+
+$script->authenticate({
+ username => 'admin',
+ password => 'demo123',
+ type => 'staff'
+});
+
+my $authtoken = $script->authtoken;
+ok($authtoken, 'was able to authenticate');
+
+my $new_user = Fieldmapper::actor::user->new();
+my $new_card = Fieldmapper::actor::card->new();
+
+$new_card->barcode("felinity_$$");
+$new_card->id(-1); # virtual ID
+$new_card->usr(undef);
+$new_card->isnew(1);
+
+$new_user->cards([ $new_card ]);
+$new_user->card($new_card);
+$new_user->usrname("felinity_$$");
+$new_user->passwd('catsrule');
+$new_user->family_name('Doe');
+$new_user->first_given_name('Jane');
+$new_user->profile(2);
+$new_user->home_ou(4);
+$new_user->ident_type(2);
+$new_user->isnew(1);
+
+my $resp = $U->simplereq(
+ 'open-ils.actor',
+ 'open-ils.actor.patron.update',
+ $authtoken,
+ $new_user
+);
+
+isa_ok($resp, 'Fieldmapper::actor::user', 'new patron');
+
+$script->authenticate({
+ username => "felinity_$$",
+ password => 'catsrule',
+ type => 'opac',
+});
+my $opac_authtoken = $script->authtoken;
+ok($opac_authtoken, 'was able to authenticate using new patron');
+
+# clean up
+$U->simplereq(
+ 'open-ils.actor',
+ 'open-ils.actor.user.delete',
+ $authtoken,
+ $resp->id()
+);
-----------------------------------------------------------------------
Summary of changes:
.../src/perlmods/lib/OpenILS/Application/Actor.pm | 18 ++++--
.../live_t/17-lp1579225_new_patron_passwords.t | 64 ++++++++++++++++++++
2 files changed, 76 insertions(+), 6 deletions(-)
create mode 100644 Open-ILS/src/perlmods/live_t/17-lp1579225_new_patron_passwords.t
hooks/post-receive
--
Evergreen ILS
More information about the open-ils-commits
mailing list