[Koha-bugs] [Bug 2426] Management Permissions Deprecated
bugzilla-daemon at liblime.com
bugzilla-daemon at liblime.com
Fri May 29 16:54:47 CEST 2009
http://bugs.koha.org/cgi-bin/bugzilla3/show_bug.cgi?id=2426
Joe Atzberger <joe.atzberger at liblime.com> changed:
What |Removed |Added
----------------------------------------------------------------------------
Severity|normal |major
--- Comment #4 from Joe Atzberger <joe.atzberger at liblime.com> 2009-05-29 14:54:46 ---
So I now consider the main problem to be that IndepdendantBranches is
essentially broken with respect to the way it "secures" the Set link.
As a granular permission, catalogue=>setbranch would make sense, but that
wouldn't fix it for non-granular Indy branches, since they would no longer be
able to control the appearance of that link separately (everyone w/ "catalogue"
would see it).
In reality that is all they are controlling, the appearance of the link. The
user can still go to selectbranches.pl and set a new branch (they just don't
see the link). So that represents a security failure. I'm upgrading the
severity accordingly.
I'm open to suggestions about the best way to fix it, but using a different top
level permission (i.e. "management") cannot be it. That would split the
security model for the page, and therefore for the links to the page, as
currently seen.
I think selectbranchprinter.pl and circulation.pl need to be refactored. The
branch-setting has to happen at selectbranchprinter and NOT be a post back to
circulation.pl. After that is successful, it can redirect to circulation (or
HTTP_REFERER).
--
Configure bugmail: http://bugs.koha.org/cgi-bin/bugzilla3/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are watching all bug changes.
More information about the Koha-bugs
mailing list