[Tickets #14467] Re: authLockUser method missing
noreply at bugs.horde.org
noreply at bugs.horde.org
Wed Sep 14 14:10:22 UTC 2016
DO NOT REPLY TO THIS MESSAGE. THIS EMAIL ADDRESS IS NOT MONITORED.
Ticket URL: https://bugs.horde.org/ticket/14467
------------------------------------------------------------------------------
Ticket | 14467
Updated By | Michael Rubinsky <mrubinsk at horde.org>
Summary | authLockUser method missing
Queue | IMP
Version | 6.2.16
Type | Bug
State | Unconfirmed
Priority | 1. Low
Milestone |
Patch |
Owners |
------------------------------------------------------------------------------
Michael Rubinsky <mrubinsk at horde.org> (2016-09-14 14:10) wrote:
Yes, something doesn't look right there.
Horde_Core_Auth_Application::lockUser is an override of
Horde_Auth_Base::lockUser. It looks like it was added to give
applications the ability to provide their own method of locking users
- though none of our applications seem to implement this.
The 'lock' capability is set if the 'lock_api' parameter is passed
when contructing an Auth object, and this is done when the
'login_block' parameter is set in the config. Now, the hasCapability()
method is called in Horde_Core_Auth_Application::lockUser - the
Horde_Core_Auth_Application::hasCapability method explicitly states
that the 'lock' ability is determined by "Horde", and NOT by
applications - yet, when that check is true, we call the application
method. That is broken. If we truly want to allow the applications to
provide their own lock mechanisms we need to first check the
appCapability, and if that fails, then check Horde.
More information about the bugs
mailing list