Hello,
I updated from 0.10 to 0.12 and realized that any username / password is
accepted by the web frontend. The installation is configured to use internal
authentication. First I suspected the upgrade process somehow went wrong and
tried a fresh install. But the problem persisted. When I login with a
fantasy username, it gets even added to the database.
After trying to follow the logon process in the source with my limited php
knowledge, I suspect the software is using external authentication instead
of internal.
I could fix the problem for now by commenting out the following part of the
function userLogin in include/admfuncs.php. This is where the external
authentication is done an new user accounts added.
// remote auth doesn't check pass, but still needs an id stub
// if($rmt)
// {
// if(!$DATA)
// {
// // create a stub user and get the id
// $sql = 'INSERT INTO "user" (name, role_id, email) VALUES (';
// $sql .= $db->quote($user);
// $sql .= ", (SELECT id FROM role WHERE name = 'user')";
// $sql .= ", " . (empty($email)? 'NULL': $db->quote($email));
// $sql .= ")";
// if($db->exec($sql) != 1) return false;
//
// // fetch defaults
// $sql = 'SELECT u.id, u.name, admin, email FROM "user" u';
// $sql .= " LEFT JOIN role r ON r.id = u.role_id";
// $sql .= " WHERE u.name = " . $db->quote($user);
// $DATA = $db->query($sql)->fetch();
// }
//
// return $DATA;
// }
I know this is not the definitive fix for the problem. It may be just a hint
for someone with better php knowledge.
Edi
