Bug 21997: SIP patron information requests can lock patron out of account

Many SIP services send an empty password field (AD). Even if allow_empty_passwords is enabled for the given SIP account, this empty password is run though Koha's password checker which increments the number of login attempts for a patron. Thus repeated patron information requests can lock a patron out! Empty password fields in SIP should not call for a password check if allow_empty_passwords is enabled.

Test Plan:
1) Enable a patron password attempt with a limit of 3
2) Send 4 patron information requests with an empty AD field
3) Note the patron's account is now locked
4) Apply this patch
5) Repeat step 2 with a different patron
6) Note the patron's account does not get locked!

Signed-off-by: Charles Farmer <charles.farmer@inLibro.com>
Signed-off-by: Martin Renvoize <martin.renvoize@ptfs-europe.com>

Signed-off-by: Nick Clemens <nick@bywatersolutions.com>

diff --git a/C4/SIP/Sip/MsgType.pm b/C4/SIP/Sip/MsgType.pm
index 9ec126e..43b02d2 100644 (file)
--- a/C4/SIP/Sip/MsgType.pm
+++ b/C4/SIP/Sip/MsgType.pm
@@ -965,9 +965,10 @@ sub handle_patron_info {
         if ( defined($patron_pwd) ) {
 
             # If patron password was provided, report whether it was right or not.
-            $password_rc = $patron->check_password($patron_pwd);
             if ( $patron_pwd eq q{} && $server->{account}->{allow_empty_passwords} ) {
                 $password_rc = 1;
+            } else {
+                $password_rc = $patron->check_password($patron_pwd);
             }
             $resp .= add_field( FID_VALID_PATRON_PWD, sipbool( $password_rc ) );
         }