Merge pull request #4477 from corentin-soriano/fix_local_account_issue

Fix login issue with local accounts.
nilsteampassnet · Nov 20, 2024 · fa2d565 · fa2d565
2 parents 3a365f3 + 1a0c022
commit fa2d565
Showing 1 changed file with 13 additions and 1 deletion.
diff --git a/sources/identify.php b/sources/identify.php
@@ -2510,7 +2510,19 @@ function createOauth2User(
                 'message' => $ret['message'],
             ];
         }
-
+
+        // login/password attempt on a local account:
+        // Return to avoid overwrite of user password that can allow a user
+        // to steal a local account.
+        if (!$ret['oauth2Connection'] || !$ret['userPasswordVerified']) {
+            return [
+                'error' => false,
+                'message' => $ret['message'],
+                'ldapConnection' => false,
+                'userPasswordVerified' => false,        
+            ];
+        }
+
         // Oauth2 user already exists and authenticated
         if (WIP === true) error_log("--- USER AUTHENTICATED ---");
         $userInfo['has_been_created'] = 0;