From 2acb35ba0673f2c9987be1db50c733cdd4cae896 Mon Sep 17 00:00:00 2001 From: Henri-Damien LAURENT Date: Tue, 16 Feb 2010 11:24:49 +0100 Subject: [PATCH] Bug fix: Authentication with cardnumber allows superlibrarian access un privileged users couls access intranet with superlibrarian rights when login in with cardnumber/password --- C4/Auth.pm | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/C4/Auth.pm b/C4/Auth.pm index f810fd3381..c50658c9bf 100644 --- a/C4/Auth.pm +++ b/C4/Auth.pm @@ -1258,11 +1258,11 @@ sub checkpw { my ( $md5password, $cardnumber, $borrowernumber, $userid, $firstname, $surname, $branchcode, $flags ) = $sth->fetchrow; - if ( md5_base64($password) eq $md5password ) { + if ( ( md5_base64($password) eq $md5password ) and ($md5password ne "!") ) { C4::Context->set_userenv( $borrowernumber, $userid, $cardnumber, $firstname, $surname, $branchcode, $flags ); - return 1, $userid; + return 1, $cardnumber; } } if ( $userid && $userid eq C4::Context->config('user') @@ -1416,8 +1416,8 @@ Returns member's flags or 0 if a permission is not met. sub haspermission { my ($userid, $flagsrequired) = @_; - my $sth = C4::Context->dbh->prepare("SELECT flags FROM borrowers WHERE userid=?"); - $sth->execute($userid); + my $sth = C4::Context->dbh->prepare("SELECT flags FROM borrowers WHERE userid=? or cardnumber=?"); + $sth->execute($userid,$userid); my $flags = getuserflags( $sth->fetchrow(), $userid ); if ( $userid eq C4::Context->config('user') ) { # Super User Account from /etc/koha.conf -- 2.20.1