aboutsummaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorBrett Profitt <brett.profitt@gmail.com>2012-04-24 15:27:47 -0700
committerBrett Profitt <brett.profitt@gmail.com>2012-04-24 15:27:47 -0700
commit23f5e53a41c763b4253dcba797c23b7c39b6ef41 (patch)
tree2d44f91d211665b9662861f889ac4352f9a7e8c7
parentec474c8f70406149ec515a0e09020ecd1b5292ec (diff)
downloadelgg-23f5e53a41c763b4253dcba797c23b7c39b6ef41.tar.gz
elgg-23f5e53a41c763b4253dcba797c23b7c39b6ef41.tar.bz2
Fixed problem in web services where users with incorrect passwords could gain an access token.
-rw-r--r--engine/lib/sessions.php4
-rw-r--r--engine/lib/web_services.php2
2 files changed, 5 insertions, 1 deletions
diff --git a/engine/lib/sessions.php b/engine/lib/sessions.php
index 9982d9fe8..419d36707 100644
--- a/engine/lib/sessions.php
+++ b/engine/lib/sessions.php
@@ -127,6 +127,10 @@ function elgg_is_admin_user($user_guid) {
/**
* Perform user authentication with a given username and password.
*
+ * @warning This returns an error message on failure. Use the identical operator to check
+ * for access: if (true === elgg_authenticate()) { ... }.
+ *
+ *
* @see login
*
* @param string $username The username
diff --git a/engine/lib/web_services.php b/engine/lib/web_services.php
index 07be76ec6..da3ed76a9 100644
--- a/engine/lib/web_services.php
+++ b/engine/lib/web_services.php
@@ -1165,7 +1165,7 @@ function list_all_apis() {
* @access private
*/
function auth_gettoken($username, $password) {
- if (elgg_authenticate($username, $password)) {
+ if (true === elgg_authenticate($username, $password)) {
$token = create_user_token($username);
if ($token) {
return $token;