Uploaded image for project: 'eZ Publish / Platform'
  1. eZ Publish / Platform
  2. EZP-18755

REST api: basic auth filter not working with custom login handlers or HashType != md5_user, disabled users

    Details

    • Type: Bug Bug
    • Status: Open
    • Priority: Medium Medium
    • Resolution: Unresolved
    • Affects Version/s: 2011.9, 4.6.0-dev
    • Fix Version/s: None
    • Labels:
      None

      Description

      The current ezpRestBasicAuthStyle class relies on ezc standard authentication-to-db tiein to verify is user is valid, by generating by hand the hash of the user password to validate in the db.

      But this does not work in all cases:

      • if HashType=md5_site or HashType=md5_password this will not work
      • if there is a custom login handler in place, this will not work, as auth might be one against an external system (ldap, anyone???)
      • it does not check for disabled users

      Proposal to fix:

      • store in ezc credentials struct the actual password received instead of the has
      • implement a new ezcAuthenticationFilter that delegates authentication to the standard ezp login subsystem*
      • to keep maximum backward compatibility of existing ezpRestBasicAuthStyle, and maximum speed/scalability (ez code will use ezdb instead of ezcdb for its authentication needs, thus generating 2 db connections instead of one), this can be wrapped up in a new "auth style" class: ezpRestAdvancedAuthStyle
      • it would be nice to also wrap the code looping through loginhandlers in a php class outside of user/login view, move it maybe to eZUserLoginHandler

        Issue Links

          Activity

          There are no comments yet on this issue.

            People

            • Assignee:
              unknown
              Reporter:
              Gaetano Giunta
            • Votes:
              0 Vote for this issue
              Watchers:
              0 Start watching this issue

              Dates

              • Created:
                Updated: