Hello, I updated from 0.10 to 0.12 and realized that any username / password is accepted by the web frontend. The installation is configured to use internal authentication. First I suspected the upgrade process somehow went wrong and tried a fresh install. But the problem persisted. When I login with a fantasy username, it gets even added to the database.
After trying to follow the logon process in the source with my limited php knowledge, I suspect the software is using external authentication instead of internal. I could fix the problem for now by commenting out the following part of the function userLogin in include/admfuncs.php. This is where the external authentication is done an new user accounts added. // remote auth doesn't check pass, but still needs an id stub // if($rmt) // { // if(!$DATA) // { // // create a stub user and get the id // $sql = 'INSERT INTO "user" (name, role_id, email) VALUES ('; // $sql .= $db->quote($user); // $sql .= ", (SELECT id FROM role WHERE name = 'user')"; // $sql .= ", " . (empty($email)? 'NULL': $db->quote($email)); // $sql .= ")"; // if($db->exec($sql) != 1) return false; // // // fetch defaults // $sql = 'SELECT u.id, u.name, admin, email FROM "user" u'; // $sql .= " LEFT JOIN role r ON r.id = u.role_id"; // $sql .= " WHERE u.name = " . $db->quote($user); // $DATA = $db->query($sql)->fetch(); // } // // return $DATA; // } I know this is not the definitive fix for the problem. It may be just a hint for someone with better php knowledge. Edi