auth: Disable auth caching entirely for master users.

The cache key contains only the master username, without the logged-in username,
so wrong data could be looked up from cache.

diff --git a/src/auth/auth-request.c b/src/auth/auth-request.c
index ad63415d0d3705687313863bf95a4c835915c313..63ce67deb3cb2f232f90b9da3de529df735e7a87 100644 (file)
--- a/src/auth/auth-request.c
+++ b/src/auth/auth-request.c
@@ -290,10 +290,8 @@ static void auth_request_save_cache(struct auth_request *request,
        extra_fields = request->extra_fields == NULL ? NULL :
                auth_stream_reply_export(request->extra_fields);
 
-       if (passdb_cache == NULL)
-               return;
-
-       if (passdb->cache_key == NULL)
+       if (passdb_cache == NULL || passdb->cache_key == NULL ||
+           request->master_user != NULL)
                return;
 
        if (result < 0) {
@@ -712,7 +710,8 @@ static void auth_request_userdb_save_cache(struct auth_request *request,
        struct userdb_module *userdb = request->userdb->userdb;
        const char *str;
 
-       if (passdb_cache == NULL || userdb->cache_key == NULL)
+       if (passdb_cache == NULL || userdb->cache_key == NULL ||
+           request->master_user != NULL)
                return;
 
        str = result == USERDB_RESULT_USER_UNKNOWN ? "" :
@@ -731,6 +730,9 @@ static bool auth_request_lookup_user_cache(struct auth_request *request,
        struct auth_cache_node *node;
        bool expired, neg_expired;
 
+       if (request->master_user != NULL)
+               return FALSE;
+
        value = auth_cache_lookup(passdb_cache, request, key, &node,
                                  &expired, &neg_expired);
        if (value == NULL || (expired && !use_expired)) {

diff --git a/src/auth/passdb-cache.c b/src/auth/passdb-cache.c
index b4cb1ceae1654d002e269abc670f4ee3a011612e..3aa2f428d9ea1e98cb22d30c4bf12d847ca7db5f 100644 (file)
--- a/src/auth/passdb-cache.c
+++ b/src/auth/passdb-cache.c
@@ -32,7 +32,7 @@ bool passdb_cache_verify_plain(struct auth_request *request, const char *key,
        int ret;
        bool expired, neg_expired;
 
-       if (passdb_cache == NULL || key == NULL)
+       if (passdb_cache == NULL || key == NULL || request->master_user != NULL)
                return FALSE;
 
        /* value = password \t ... */
@@ -96,7 +96,7 @@ bool passdb_cache_lookup_credentials(struct auth_request *request,
        struct auth_cache_node *node;
        bool expired, neg_expired;
 
-       if (passdb_cache == NULL)
+       if (passdb_cache == NULL || request->master_user != NULL)
                return FALSE;
 
        value = auth_cache_lookup(passdb_cache, request, key, &node,