diff options
| author | Brett Profitt <brett.profitt@gmail.com> | 2012-04-24 15:27:47 -0700 |
|---|---|---|
| committer | Brett Profitt <brett.profitt@gmail.com> | 2012-04-24 15:27:47 -0700 |
| commit | 23f5e53a41c763b4253dcba797c23b7c39b6ef41 (patch) | |
| tree | 2d44f91d211665b9662861f889ac4352f9a7e8c7 | |
| parent | ec474c8f70406149ec515a0e09020ecd1b5292ec (diff) | |
| download | elgg-23f5e53a41c763b4253dcba797c23b7c39b6ef41.tar.gz elgg-23f5e53a41c763b4253dcba797c23b7c39b6ef41.tar.bz2 | |
Fixed problem in web services where users with incorrect passwords could gain an access token.
| -rw-r--r-- | engine/lib/sessions.php | 4 | ||||
| -rw-r--r-- | engine/lib/web_services.php | 2 |
2 files changed, 5 insertions, 1 deletions
diff --git a/engine/lib/sessions.php b/engine/lib/sessions.php index 9982d9fe8..419d36707 100644 --- a/engine/lib/sessions.php +++ b/engine/lib/sessions.php @@ -127,6 +127,10 @@ function elgg_is_admin_user($user_guid) { /** * Perform user authentication with a given username and password. * + * @warning This returns an error message on failure. Use the identical operator to check + * for access: if (true === elgg_authenticate()) { ... }. + * + * * @see login * * @param string $username The username diff --git a/engine/lib/web_services.php b/engine/lib/web_services.php index 07be76ec6..da3ed76a9 100644 --- a/engine/lib/web_services.php +++ b/engine/lib/web_services.php @@ -1165,7 +1165,7 @@ function list_all_apis() { * @access private */ function auth_gettoken($username, $password) { - if (elgg_authenticate($username, $password)) { + if (true === elgg_authenticate($username, $password)) { $token = create_user_token($username); if ($token) { return $token; |