Hi,
I'm a little new to the Tessitura SOAP API, but I have been tinkering with it for a bit and have noticed that for accounts that were created in the Tessitura admin area ( not via the API ) I can login via their email address as the username and any password I want. ??
I am going to assume we have something configured incorrectly in Tessitura, but this seems like a little bit of a problem.
Also, 580 page API doc in Word format?! Really?
m
This seems to happen when you create a "Web Login" via the admin interface and it puts the user's Web Login account in a Temporary state. From what I understand this is intended to allow a user to have a chance to be prompted to create their password, but from what I can tell, you can actually just login with any old password when its in this state.
-m
This sounds like what we discovered last month -- actually if you use the client application to change the login ID itself, it sets the stored password hash to null, which allows allows you to log in with any password. We've reported it and last I heard it's in a development queue as a defect.