Details
-
Bug
-
Resolution: Unresolved
-
Medium
-
None
-
2011.9, 4.6.0-dev
-
None
Description
The current ezpRestBasicAuthStyle class relies on ezc standard authentication-to-db tiein to verify is user is valid, by generating by hand the hash of the user password to validate in the db.
But this does not work in all cases:
- if HashType=md5_site or HashType=md5_password this will not work
- if there is a custom login handler in place, this will not work, as auth might be one against an external system (ldap, anyone???)
- it does not check for disabled users
Proposal to fix:
- store in ezc credentials struct the actual password received instead of the has
- implement a new ezcAuthenticationFilter that delegates authentication to the standard ezp login subsystem*
- to keep maximum backward compatibility of existing ezpRestBasicAuthStyle, and maximum speed/scalability (ez code will use ezdb instead of ezcdb for its authentication needs, thus generating 2 db connections instead of one), this can be wrapped up in a new "auth style" class: ezpRestAdvancedAuthStyle
- it would be nice to also wrap the code looping through loginhandlers in a php class outside of user/login view, move it maybe to eZUserLoginHandler