[Bug 21997] New: SIP patron information requests can lock patron out of account

classic Classic list List threaded Threaded
13 messages Options
Reply | Threaded
Open this post in threaded view
|

[Bug 21997] New: SIP patron information requests can lock patron out of account

bugzilla-daemon
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=21997

            Bug ID: 21997
           Summary: SIP patron information requests can lock patron out of
                    account
 Change sponsored?: ---
           Product: Koha
           Version: unspecified
          Hardware: All
                OS: All
            Status: NEW
          Severity: enhancement
          Priority: P5 - low
         Component: SIP2
          Assignee: [hidden email]
          Reporter: [hidden email]
        QA Contact: [hidden email]
                CC: [hidden email]

Many SIP services send an empty password field (AD). Even if
allow_empty_passwords is enabled for the given SIP account, this empty password
is run though Koha's password checker which increments the number of login
attempts for a patron. Thus repeated patron information requests can lock a
patron out! Empty password fields in SIP should not call for a password check
if allow_empty_passwords is enabled.

--
You are receiving this mail because:
You are the assignee for the bug.
You are watching all bug changes.
_______________________________________________
Koha-bugs mailing list
[hidden email]
http://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs
website : http://www.koha-community.org/
git : http://git.koha-community.org/
bugs : http://bugs.koha-community.org/
Reply | Threaded
Open this post in threaded view
|

[Bug 21997] SIP patron information requests can lock patron out of account

bugzilla-daemon
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=21997

Kyle M Hall <[hidden email]> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
             Status|NEW                         |Needs Signoff

--
You are receiving this mail because:
You are watching all bug changes.
You are the assignee for the bug.
_______________________________________________
Koha-bugs mailing list
[hidden email]
http://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs
website : http://www.koha-community.org/
git : http://git.koha-community.org/
bugs : http://bugs.koha-community.org/
Reply | Threaded
Open this post in threaded view
|

[Bug 21997] SIP patron information requests can lock patron out of account

bugzilla-daemon
In reply to this post by bugzilla-daemon
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=21997

--- Comment #1 from Kyle M Hall <[hidden email]> ---
Created attachment 83183
  -->
https://bugs.koha-community.org/bugzilla3/attachment.cgi?id=83183&action=edit
Bug 21997 - SIP patron information requests can lock patron out of account

Many SIP services send an empty password field (AD). Even if
allow_empty_passwords is enabled for the given SIP account, this empty password
is run though Koha's password checker which increments the number of login
attempts for a patron. Thus repeated patron information requests can lock a
patron out! Empty password fields in SIP should not call for a password check
if allow_empty_passwords is enabled.

Test Plan:
1) Enable a patron password attempt with a limit of 3
2) Send 4 patron information requests with an empty AD field
3) Note the patron's account is now locked
4) Apply this patch
5) Repeat step 2 with a different patron
6) Note the patron's account does not get locked!

--
You are receiving this mail because:
You are watching all bug changes.
You are the assignee for the bug.
_______________________________________________
Koha-bugs mailing list
[hidden email]
http://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs
website : http://www.koha-community.org/
git : http://git.koha-community.org/
bugs : http://bugs.koha-community.org/
Reply | Threaded
Open this post in threaded view
|

[Bug 21997] SIP patron information requests can lock patron out of account

bugzilla-daemon
In reply to this post by bugzilla-daemon
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=21997

Kyle M Hall <[hidden email]> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
   Patch complexity|---                         |Trivial patch
           Severity|enhancement                 |normal
           Assignee|[hidden email]-commun |[hidden email]
                   |ity.org                     |

--
You are receiving this mail because:
You are the assignee for the bug.
You are watching all bug changes.
_______________________________________________
Koha-bugs mailing list
[hidden email]
http://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs
website : http://www.koha-community.org/
git : http://git.koha-community.org/
bugs : http://bugs.koha-community.org/
Reply | Threaded
Open this post in threaded view
|

[Bug 21997] SIP patron information requests can lock patron out of account

bugzilla-daemon
In reply to this post by bugzilla-daemon
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=21997

Charles Farmer <[hidden email]> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
  Attachment #83183|0                           |1
        is obsolete|                            |

--- Comment #2 from Charles Farmer <[hidden email]> ---
Created attachment 84230
  -->
https://bugs.koha-community.org/bugzilla3/attachment.cgi?id=84230&action=edit
Bug 21997 - SIP patron information requests can lock patron out of account

Many SIP services send an empty password field (AD). Even if
allow_empty_passwords is enabled for the given SIP account, this empty password
is run though Koha's password checker which increments the number of login
attempts for a patron. Thus repeated patron information requests can lock a
patron out! Empty password fields in SIP should not call for a password check
if allow_empty_passwords is enabled.

Test Plan:
1) Enable a patron password attempt with a limit of 3
2) Send 4 patron information requests with an empty AD field
3) Note the patron's account is now locked
4) Apply this patch
5) Repeat step 2 with a different patron
6) Note the patron's account does not get locked!

Signed-off-by: Charles Farmer <[hidden email]>

--
You are receiving this mail because:
You are watching all bug changes.
_______________________________________________
Koha-bugs mailing list
[hidden email]
http://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs
website : http://www.koha-community.org/
git : http://git.koha-community.org/
bugs : http://bugs.koha-community.org/
Reply | Threaded
Open this post in threaded view
|

[Bug 21997] SIP patron information requests can lock patron out of account

bugzilla-daemon
In reply to this post by bugzilla-daemon
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=21997

David Nind <[hidden email]> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
                 CC|                            |[hidden email]
             Status|Needs Signoff               |Signed Off

--
You are receiving this mail because:
You are watching all bug changes.
_______________________________________________
Koha-bugs mailing list
[hidden email]
http://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs
website : http://www.koha-community.org/
git : http://git.koha-community.org/
bugs : http://bugs.koha-community.org/
Reply | Threaded
Open this post in threaded view
|

[Bug 21997] SIP patron information requests can lock patron out of account

bugzilla-daemon
In reply to this post by bugzilla-daemon
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=21997

Martin Renvoize <[hidden email]> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
                 CC|                            |martin.renvoize@ptfs-europe
                   |                            |.com
             Status|Signed Off                  |Failed QA

--- Comment #3 from Martin Renvoize <[hidden email]> ---
Can we have an accompanying test pretty please..

I think there's enough SIP test scaffolding in place to make this viable.

Failing QA

--
You are receiving this mail because:
You are watching all bug changes.
_______________________________________________
Koha-bugs mailing list
[hidden email]
http://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs
website : http://www.koha-community.org/
git : http://git.koha-community.org/
bugs : http://bugs.koha-community.org/
Reply | Threaded
Open this post in threaded view
|

[Bug 21997] SIP patron information requests can lock patron out of account

bugzilla-daemon
In reply to this post by bugzilla-daemon
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=21997

Martin Renvoize <[hidden email]> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
         QA Contact|[hidden email]-communit |martin.renvoize@ptfs-europe
                   |y.org                       |.com

--
You are receiving this mail because:
You are watching all bug changes.
_______________________________________________
Koha-bugs mailing list
[hidden email]
http://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs
website : http://www.koha-community.org/
git : http://git.koha-community.org/
bugs : http://bugs.koha-community.org/
Reply | Threaded
Open this post in threaded view
|

[Bug 21997] SIP patron information requests can lock patron out of account

bugzilla-daemon
In reply to this post by bugzilla-daemon
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=21997

Kyle M Hall <[hidden email]> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
             Status|Failed QA                   |Signed Off

--
You are receiving this mail because:
You are watching all bug changes.
_______________________________________________
Koha-bugs mailing list
[hidden email]
http://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs
website : http://www.koha-community.org/
git : http://git.koha-community.org/
bugs : http://bugs.koha-community.org/
Reply | Threaded
Open this post in threaded view
|

[Bug 21997] SIP patron information requests can lock patron out of account

bugzilla-daemon
In reply to this post by bugzilla-daemon
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=21997

--- Comment #4 from Kyle M Hall <[hidden email]> ---
Created attachment 84989
  -->
https://bugs.koha-community.org/bugzilla3/attachment.cgi?id=84989&action=edit
Bug 21997: Unit tests

--
You are receiving this mail because:
You are watching all bug changes.
_______________________________________________
Koha-bugs mailing list
[hidden email]
http://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs
website : http://www.koha-community.org/
git : http://git.koha-community.org/
bugs : http://bugs.koha-community.org/
Reply | Threaded
Open this post in threaded view
|

[Bug 21997] SIP patron information requests can lock patron out of account

bugzilla-daemon
In reply to this post by bugzilla-daemon
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=21997

Kyle M Hall <[hidden email]> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
  Attachment #84230|0                           |1
        is obsolete|                            |

--- Comment #5 from Kyle M Hall <[hidden email]> ---
Created attachment 84990
  -->
https://bugs.koha-community.org/bugzilla3/attachment.cgi?id=84990&action=edit
Bug 21997 - SIP patron information requests can lock patron out of account

Many SIP services send an empty password field (AD). Even if
allow_empty_passwords is enabled for the given SIP account, this empty password
is run though Koha's password checker which increments the number of login
attempts for a patron. Thus repeated patron information requests can lock a
patron out! Empty password fields in SIP should not call for a password check
if allow_empty_passwords is enabled.

Test Plan:
1) Enable a patron password attempt with a limit of 3
2) Send 4 patron information requests with an empty AD field
3) Note the patron's account is now locked
4) Apply this patch
5) Repeat step 2 with a different patron
6) Note the patron's account does not get locked!

Signed-off-by: Charles Farmer <[hidden email]>

--
You are receiving this mail because:
You are watching all bug changes.
_______________________________________________
Koha-bugs mailing list
[hidden email]
http://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs
website : http://www.koha-community.org/
git : http://git.koha-community.org/
bugs : http://bugs.koha-community.org/
Reply | Threaded
Open this post in threaded view
|

[Bug 21997] SIP patron information requests can lock patron out of account

bugzilla-daemon
In reply to this post by bugzilla-daemon
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=21997

Kyle M Hall <[hidden email]> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
  Attachment #84989|0                           |1
        is obsolete|                            |
  Attachment #84990|0                           |1
        is obsolete|                            |

--- Comment #6 from Kyle M Hall <[hidden email]> ---
Created attachment 84991
  -->
https://bugs.koha-community.org/bugzilla3/attachment.cgi?id=84991&action=edit
Bug 21997: Unit tests

--
You are receiving this mail because:
You are watching all bug changes.
_______________________________________________
Koha-bugs mailing list
[hidden email]
http://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs
website : http://www.koha-community.org/
git : http://git.koha-community.org/
bugs : http://bugs.koha-community.org/
Reply | Threaded
Open this post in threaded view
|

[Bug 21997] SIP patron information requests can lock patron out of account

bugzilla-daemon
In reply to this post by bugzilla-daemon
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=21997

--- Comment #7 from Kyle M Hall <[hidden email]> ---
Created attachment 84992
  -->
https://bugs.koha-community.org/bugzilla3/attachment.cgi?id=84992&action=edit
Bug 21997 - SIP patron information requests can lock patron out of account

Many SIP services send an empty password field (AD). Even if
allow_empty_passwords is enabled for the given SIP account, this empty password
is run though Koha's password checker which increments the number of login
attempts for a patron. Thus repeated patron information requests can lock a
patron out! Empty password fields in SIP should not call for a password check
if allow_empty_passwords is enabled.

Test Plan:
1) Enable a patron password attempt with a limit of 3
2) Send 4 patron information requests with an empty AD field
3) Note the patron's account is now locked
4) Apply this patch
5) Repeat step 2 with a different patron
6) Note the patron's account does not get locked!

Signed-off-by: Charles Farmer <[hidden email]>

--
You are receiving this mail because:
You are watching all bug changes.
_______________________________________________
Koha-bugs mailing list
[hidden email]
http://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs
website : http://www.koha-community.org/
git : http://git.koha-community.org/
bugs : http://bugs.koha-community.org/