From 23f5e53a41c763b4253dcba797c23b7c39b6ef41 Mon Sep 17 00:00:00 2001
From: Brett Profitt <brett.profitt@gmail.com>
Date: Tue, 24 Apr 2012 15:27:47 -0700
Subject: Fixed problem in web services where users with incorrect passwords
 could gain an access token.

---
 engine/lib/sessions.php     | 4 ++++
 engine/lib/web_services.php | 2 +-
 2 files changed, 5 insertions(+), 1 deletion(-)

(limited to 'engine')

diff --git a/engine/lib/sessions.php b/engine/lib/sessions.php
index 9982d9fe8..419d36707 100644
--- a/engine/lib/sessions.php
+++ b/engine/lib/sessions.php
@@ -127,6 +127,10 @@ function elgg_is_admin_user($user_guid) {
 /**
  * Perform user authentication with a given username and password.
  *
+ * @warning This returns an error message on failure. Use the identical operator to check
+ * for access: if (true === elgg_authenticate()) { ... }.
+ *
+ *
  * @see login
  *
  * @param string $username The username
diff --git a/engine/lib/web_services.php b/engine/lib/web_services.php
index 07be76ec6..da3ed76a9 100644
--- a/engine/lib/web_services.php
+++ b/engine/lib/web_services.php
@@ -1165,7 +1165,7 @@ function list_all_apis() {
  * @access private
  */
 function auth_gettoken($username, $password) {
-	if (elgg_authenticate($username, $password)) {
+	if (true === elgg_authenticate($username, $password)) {
 		$token = create_user_token($username);
 		if ($token) {
 			return $token;
-- 
cgit v1.2.3