Fixed problem in web services where users with incorrect passwords could gain an...

author Brett Profitt <brett.profitt@gmail.com>

Tue, 24 Apr 2012 22:27:47 +0000 (15:27 -0700)

committer Brett Profitt <brett.profitt@gmail.com>

Tue, 24 Apr 2012 22:27:47 +0000 (15:27 -0700)
author Brett Profitt <brett.profitt@gmail.com>
Tue, 24 Apr 2012 22:27:47 +0000 (15:27 -0700)
committer Brett Profitt <brett.profitt@gmail.com>
Tue, 24 Apr 2012 22:27:47 +0000 (15:27 -0700)
diff --git a/engine/lib/sessions.php b/engine/lib/sessions.php

index 9982d9fe8f42e065337645bbdf6b66ab22caea95..419d367076087bc2cc13cef2fe45691b5499c5ab 100644 (file)
--- a/engine/lib/sessions.php
+++ b/engine/lib/sessions.php
@@ -127,6 +127,10 @@ function elgg_is_admin_user($user_guid) {
  /**
   * Perform user authentication with a given username and password.
   *
+ * @warning This returns an error message on failure. Use the identical operator to check
+ * for access: if (true === elgg_authenticate()) { ... }.
+ *
+ *
   * @see login
   *
   * @param string $username The username
diff --git a/engine/lib/web_services.php b/engine/lib/web_services.php

index 07be76ec61bdba947feedb1b7721fbaa3f30192a..da3ed76a9cbfc82720058bb7468a124a2780270a 100644 (file)
--- a/engine/lib/web_services.php
+++ b/engine/lib/web_services.php
@@ -1165,7 +1165,7 @@ function list_all_apis() {
   * @access private
   */
  function auth_gettoken($username, $password) {
-       if (elgg_authenticate($username, $password)) {
+       if (true === elgg_authenticate($username, $password)) {
                 $token = create_user_token($username);
                 if ($token) {
                         return $token;
author	Brett Profitt <brett.profitt@gmail.com>
	Tue, 24 Apr 2012 22:27:47 +0000 (15:27 -0700)
committer	Brett Profitt <brett.profitt@gmail.com>
	Tue, 24 Apr 2012 22:27:47 +0000 (15:27 -0700)
engine/lib/sessions.php		patch \| blob \| history
engine/lib/web_services.php		patch \| blob \| history