Skip to content

Commit

Permalink
Fix 0013901: SOAP API allows invoking methods without proper authenti…
Browse files Browse the repository at this point in the history 
…cation

Note: only applied to 1.2.x not 'next', as the code is changing anyway
  • Loading branch information
root committed Feb 16, 2012
1 parent af78d81 commit 5e9ead3
Showing 1 changed file with 5 additions and 0 deletions.
5 changes: 5 additions & 0 deletions api/soap/mc_api.php
View file
Expand Up @@ -51,6 +51,11 @@ function mci_check_login( $p_username, $p_password ) {

# do not use password validation.
$p_password = null;
} else {
if( is_blank( $p_password ) ) {
# require password for authenticated access
return false;
}
}

if( false === auth_attempt_script_login( $p_username, $p_password ) ) {
Expand Down

1 comment on commit 5e9ead3

@vboctor
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Good fix!

I wonder if we should only return false when the password is null, otherwise, we should allow validation of blank passwords. For example, when users are created by administrator and email notifications are off, they are created with empty passwords. In such case, they won't be able to login via a client that is dependent on SOAP API. Not a typical scenario, but it seems we are failing for a case that should be valid.

Please sign in to comment.