]> git.ipfire.org Git - thirdparty/dovecot/core.git/commitdiff
projects / thirdparty / dovecot / core.git / commitdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | patch | inline | side by side (parent: c07fb22)
auth: Fixed passdb skip_password_check / result_success=continue-fail handling
authorTimo Sirainen <tss@iki.fi>
Mon, 7 Sep 2015 11:08:52 +0000 (14:08 +0300)
committerTimo Sirainen <tss@iki.fi>
Mon, 7 Sep 2015 11:08:52 +0000 (14:08 +0300)
If passdb returned success, but result_success=continue-fail, it means that
the authentication didn't succeed. So we still want to check the password
again and in general treat the request as unauthenticated (especially for
the passdb { skip } setting).

So the current logic means that there are 2 ways for the request to be
treated as authenticated and skipping any password checking:

1) passdb lookup succeeding, with result_success=continue, continue-ok,
return or return-ok

2) passdb lookup not succeeding, with result_failure=continue-ok or
return-ok

It's a bit questionable though if 2) should be allowed.

src/auth/auth-request.c patch | blob | blame | history

diff --git a/src/auth/auth-request.c b/src/auth/auth-request.c
index 458e867e8d5013577aa696ca2eb1b08660f4dd56..c22a7872a191a3200840958101bdabf6481ac868 100644 (file)
--- a/src/auth/auth-request.c
+++ b/src/auth/auth-request.c
@@ -593,10 +593,18 @@ auth_request_handle_passdb_callback(enum passdb_result *result,
                break;
        case AUTH_DB_RULE_CONTINUE:
                passdb_continue = TRUE;
+               if (*result == PASSDB_RESULT_OK) {
+                       /* password was successfully verified. don't bother
+                          checking it again. */
+                       request->skip_password_check = TRUE;
+               }
                break;
        case AUTH_DB_RULE_CONTINUE_OK:
                passdb_continue = TRUE;
                request->passdb_success = TRUE;
+               /* password was successfully verified. don't bother
+                  checking it again. */
+               request->skip_password_check = TRUE;
                break;
        case AUTH_DB_RULE_CONTINUE_FAIL:
                passdb_continue = TRUE;
@@ -604,12 +612,6 @@ auth_request_handle_passdb_callback(enum passdb_result *result,
                break;
        }
 
-       if (*result == PASSDB_RESULT_OK && passdb_continue) {
-               /* password was successfully verified. don't bother
-                  checking it again. */
-               request->skip_password_check = TRUE;
-       }
-
        if (request->requested_login_user != NULL &&
            *result == PASSDB_RESULT_OK) {
                auth_request_master_lookup_finish(request);
Mirror of https://github.com/dovecot/core.git