svn commit: r1704052 - /ofbiz/trunk/framework/common/src/org/ofbiz/common/login/LoginServices.java

[mb...@apache.org]

Author: mbrohl
Date: Sat Sep 19 16:02:15 2015
New Revision: 1704052

URL: http://svn.apache.org/viewvc?rev=1704052&view=rev
Log:
Applied patch for OFBIZ-6635: Old UserLogin from userLoginId-change is not correctly disabled.

If a userLoginId of an existing user is updated by LoginServices.updateUserLoginId, a new UserLogin value is created with the data of the old one and the old one is disabled afterwards. In addition to switch the enabled flag to "N" the disabledDateTime is set to current date. This is wrong because this makes it possible to reenable the old UserLogin by just do a login with the old userLoginId (standard mechanism to lock the login for a while after subsequent failed login requests).

Thanks Martin Becker for spotting this and providing the patch.

Modified:
    ofbiz/trunk/framework/common/src/org/ofbiz/common/login/LoginServices.java

Modified: ofbiz/trunk/framework/common/src/org/ofbiz/common/login/LoginServices.java
URL: http://svn.apache.org/viewvc/ofbiz/trunk/framework/common/src/org/ofbiz/common/login/LoginServices.java?rev=1704052&r1=1704051&r2=1704052&view=diff
==============================================================================
--- ofbiz/trunk/framework/common/src/org/ofbiz/common/login/LoginServices.java (original)
+++ ofbiz/trunk/framework/common/src/org/ofbiz/common/login/LoginServices.java Sat Sep 19 16:02:15 2015
@@ -791,8 +791,9 @@ public class LoginServices {
             return ServiceUtil.returnError(errMsg);
         }
 
+        // Deactivate 'old' UserLogin and do not set disabledDateTime here, otherwise the 'old' UserLogin would be reenabled by next login
         loggedInUserLogin.set("enabled", "N");
-        loggedInUserLogin.set("disabledDateTime", UtilDateTime.nowTimestamp());
+        loggedInUserLogin.set("disabledDateTime", null);
 
         try {
             loggedInUserLogin.store();