dovecot-2.2: auth: Fixed passdb skip_password_check / result_suc...

dovecot at dovecot.org dovecot at dovecot.org
Mon Sep 7 11:10:04 UTC 2015 

details:   http://hg.dovecot.org/dovecot-2.2/rev/43723e4bf750
changeset: 19097:43723e4bf750
user:      Timo Sirainen <tss at iki.fi>
date:      Mon Sep 07 14:08:52 2015 +0300
description:
auth: Fixed passdb skip_password_check / result_success=continue-fail handling
If passdb returned success, but result_success=continue-fail, it means that
the authentication didn't succeed. So we still want to check the password
again and in general treat the request as unauthenticated (especially for
the passdb { skip } setting).

So the current logic means that there are 2 ways for the request to be
treated as authenticated and skipping any password checking:

1) passdb lookup succeeding, with result_success=continue, continue-ok,
return or return-ok

2) passdb lookup not succeeding, with result_failure=continue-ok or
return-ok

It's a bit questionable though if 2) should be allowed.

diffstat:

 src/auth/auth-request.c |  14 ++++++++------
 1 files changed, 8 insertions(+), 6 deletions(-)

diffs (35 lines):

diff -r 0ff2440bb1aa -r 43723e4bf750 src/auth/auth-request.c
--- a/src/auth/auth-request.c	Mon Sep 07 13:40:41 2015 +0300
+++ b/src/auth/auth-request.c	Mon Sep 07 14:08:52 2015 +0300
@@ -593,10 +593,18 @@
 		break;
 	case AUTH_DB_RULE_CONTINUE:
 		passdb_continue = TRUE;
+		if (*result == PASSDB_RESULT_OK) {
+			/* password was successfully verified. don't bother
+			   checking it again. */
+			request->skip_password_check = TRUE;
+		}
 		break;
 	case AUTH_DB_RULE_CONTINUE_OK:
 		passdb_continue = TRUE;
 		request->passdb_success = TRUE;
+		/* password was successfully verified. don't bother
+		   checking it again. */
+		request->skip_password_check = TRUE;
 		break;
 	case AUTH_DB_RULE_CONTINUE_FAIL:
 		passdb_continue = TRUE;
@@ -604,12 +612,6 @@
 		break;
 	}
 
-	if (*result == PASSDB_RESULT_OK && passdb_continue) {
-		/* password was successfully verified. don't bother
-		   checking it again. */
-		request->skip_password_check = TRUE;
-	}
-
 	if (request->requested_login_user != NULL &&
 	    *result == PASSDB_RESULT_OK) {
 		auth_request_master_lookup_finish(request);

More information about the dovecot-cvs mailing list