Bug 16610 - Regression in SIP2 user password handling

Previous to bug 14507, SIP2 only did internal authentication. A change
to the way we check empty passwords has caused any empty password to
send back a CQ of Y. Previous to that patch set, a CQ of Y would only be
sent back of the patron password column was NULL. Now, an empty AD field
*always* returns a CQ of Y.

Test Plan:
1) Send a patron information request with an empty AD field
   Note: You must send the AD field or you won't get back a CQ field
2) Note you get back a CQ of Y
3) Apply this patch
4) Repeat step 1
5) Note you now get back a CQ of N

Signed-off-by: Trent Roby <troby@bclib.info>
Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl>

Signed-off-by: Brendan Gallagher <brendan@bywatersolutions.com>

diff --git a/C4/SIP/ILS/Patron.pm b/C4/SIP/ILS/Patron.pm
index d61b097..9eb249c 100644 (file)
--- a/C4/SIP/ILS/Patron.pm
+++ b/C4/SIP/ILS/Patron.pm
@@ -193,11 +193,11 @@ sub AUTOLOAD {
 sub check_password {
     my ( $self, $pwd ) = @_;
 
-    defined $pwd
-      or return 0;    # you gotta give me something (at least ''), or no deal
+    # you gotta give me something (at least ''), or no deal
+    return 0 unless defined $pwd;
 
-    return 1
-      if $pwd eq q{};    # if the record has a NULL password, accept '' as match
+    # If the record has a NULL password, accept '' as match
+    return $pwd eq q{} unless $self->{password};
 
     my $dbh = C4::Context->dbh;
     my $ret = 0;