# HG changeset patch
# User Sylvain Thénault <sylvain.thenault@logilab.fr>
# Date 1329152227 -3600
# Node ID c2a91d6639d8dd3d6b3026bab802a88b37c7ffb1
# Parent  83fd9ff90a9df8914bf75dd8a2ab92c09108a836
[system source] fix authentication: don't allow login whatever the given password if user password is NULL in database. Closes #2186099

diff -r 83fd9ff90a9d -r c2a91d6639d8 server/sources/native.py
--- a/server/sources/native.py	Tue Feb 14 15:15:59 2012 +0100
+++ b/server/sources/native.py	Mon Feb 13 17:57:07 2012 +0100
@@ -1586,9 +1586,11 @@
                 pwd = rset[0][0]
             except IndexError:
                 raise AuthenticationError('bad login')
+            if pwd is None:
+                # if pwd is None but a password is provided, something is wrong
+                raise AuthenticationError('bad password')
             # passwords are stored using the Bytes type, so we get a StringIO
-            if pwd is not None:
-                args['pwd'] = Binary(crypt_password(password, pwd.getvalue()[:2]))
+            args['pwd'] = Binary(crypt_password(password, pwd.getvalue()[:2]))
         # get eid from login and (crypted) password
         rset = self.source.syntax_tree_search(session, self._auth_rqlst, args)
         try: