Many SIP services send an empty password field (AD). Even if allow_empty_passwords is enabled for the given SIP account, this empty password is run though Koha's password checker which increments the number of login attempts for a patron. Thus repeated patron information requests can lock a patron out! Empty password fields in SIP should not call for a password check if allow_empty_passwords is enabled.
Test Plan:
1) Enable a patron password attempt with a limit of 3
2) Send 4 patron information requests with an empty AD field
3) Note the patron's account is now locked
4) Apply this patch
5) Repeat step 2 with a different patron
6) Note the patron's account does not get locked!
Signed-off-by: Charles Farmer <charles.farmer@inLibro.com>
Signed-off-by: Martin Renvoize <martin.renvoize@ptfs-europe.com>
Signed-off-by: Nick Clemens <nick@bywatersolutions.com>
if ( defined($patron_pwd) ) {
# If patron password was provided, report whether it was right or not.
- $password_rc = $patron->check_password($patron_pwd);
if ( $patron_pwd eq q{} && $server->{account}->{allow_empty_passwords} ) {
$password_rc = 1;
+ } else {
+ $password_rc = $patron->check_password($patron_pwd);
}
$resp .= add_field( FID_VALID_PATRON_PWD, sipbool( $password_rc ) );
}