fixed anon-session bug

toto/mongodbconnection.py

@@ -68,7 +68,7 @@ def create_session(self, user_id=None, password=None):
     if not user_id:
       user_id = ''
     account = user_id and self.db.accounts.find_one({'user_id': user_id})
-    if user_id and not account or not secret.verify_password(password, account['password']):
+    if user_id and (not account or not secret.verify_password(password, account['password'])):
       raise TotoException(ERROR_USER_NOT_FOUND, "Invalid user ID or password")
     session_id = base64.b64encode(uuid.uuid4().bytes, '-_')[:-2]
     self.db.sessions.remove({'user_id': user_id, 'expires': {'$lt': time()}})

toto/mysqldbconnection.py

@@ -94,7 +94,7 @@ def create_session(self, user_id=None, password=None):
       user_id = ''
     user_id = user_id.lower()
     account = user_id and self.db.get("select * from account where user_id = %s", user_id)
-    if user_id and not account or not secret.verify_password(password, account['password']):
+    if user_id and (not account or not secret.verify_password(password, account['password'])):
       raise TotoException(ERROR_USER_NOT_FOUND, "Invalid user ID or password")
     session_id = base64.b64encode(uuid.uuid4().bytes, '-_')[:-2]
     self.db.execute("delete from session where account_id = %s and expires <= %s", account['account_id'], time())

toto/redisconnection.py

@@ -65,7 +65,7 @@ def create_session(self, user_id=None, password=None):
       user_id = ''
     account_key = _account_key(user_id)
     account = user_id and password and self.db.hmget(account_key, 'user_id', 'password')
-    if user_id and account[0] != user_id or not secret.verify_password(password, account[1]):
+    if user_id and (account[0] != user_id or not secret.verify_password(password, account[1])):
       raise TotoException(ERROR_USER_NOT_FOUND, "Invalid user ID or password")
     session_id = base64.b64encode(uuid.uuid4().bytes, '-_')[:-2]
     ttl = (user_id and self.session_ttl or self.anon_session_ttl)