Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Fix 0013901: SOAP API allows invoking methods without proper authenti…
…cation Note: only applied to 1.2.x not 'next', as the code is changing anyway
- Loading branch information
5e9ead3
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Good fix!
I wonder if we should only return false when the password is null, otherwise, we should allow validation of blank passwords. For example, when users are created by administrator and email notifications are off, they are created with empty passwords. In such case, they won't be able to login via a client that is dependent on SOAP API. Not a typical scenario, but it seems we are failing for a case that should be valid.