Bug 14507 Use checkpw to check password in Patron Info

Some devices are using patron information responses to validate
patron passwords to govern access to facilities as we
were using C4::Auth::checkpw_hash this only worked in a db password
context not other authentication routines.
The C4::Auth routines are not very consistent and there isnt a dropin
replacement for checkpw_hash this calls checkpw instead.
In a password only environment this behaves as the old version did
returning field CQ as Y if a valid password or no password is passed in
the patron info request and N if an incorrect password is supplied
It should also test against the appropriate authentication sources if
othere autrhentication schemes are in use

Signed-off-by: Liz Rea <liz@catalyst.net.nz>
Tested this with a client who reports that this enables SIP authentication to work correctly with their LDAP server.

Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>
Signed-off-by: Brendan Gallagher brendan@bywatersolutions.com

diff --git a/C4/SIP/ILS/Patron.pm b/C4/SIP/ILS/Patron.pm
index 4e9c152..fe21903 100644 (file)
--- a/C4/SIP/ILS/Patron.pm
+++ b/C4/SIP/ILS/Patron.pm
@@ -22,7 +22,7 @@ use C4::Members;
 use C4::Reserves;
 use C4::Branch qw(GetBranchName);
 use C4::Items qw( GetBarcodeFromItemnumber GetItemnumbersForBiblio);
-use C4::Auth qw(checkpw_hash);
+use C4::Auth qw(checkpw);
 
 our $VERSION = 3.07.00.049;
 
@@ -102,6 +102,7 @@ sub new {
         inet            => ( !$debarred && !$expired ),
         expired         => $expired,
         fee_limit       => $fee_limit,
+        userid          => $kp->{userid},
     );
     }
     $debug and warn "patron fines: $ilspatron{fines} ... amountoutstanding: $kp->{amountoutstanding} ... CHARGES->amount: $flags->{CHARGES}->{amount}";
@@ -192,13 +193,17 @@ sub AUTOLOAD {
 
 sub check_password {
     my ($self, $pwd) = @_;
+
     defined $pwd or return 0;                  # you gotta give me something (at least ''), or no deal
 
-    my $hashed_pwd = $self->{password};
-    defined $hashed_pwd or return $pwd eq '';  # if the record has a NULL password, accept '' as match
+    if ($pwd eq q{}) {
+        return 1;
+    }
 
-    # warn sprintf "check_password for %s: '%s' vs. '%s'",($self->{name}||''),($self->{password}||''),($pwd||'');
-    return checkpw_hash($pwd, $hashed_pwd);
+    my $dbh = C4::Context->dbh;
+    my $ret = 0;
+    ($ret) = checkpw($dbh, $self->{userid}, $pwd);
+    return $ret;
 }
 
 # A few special cases, not in AUTOLOADed %fields