[Koha-bugs] [Bug 7551] New: Any logged-in OPAC user can renew items for others using a properly constructed URL
bugzilla-daemon at bugs.koha-community.org
bugzilla-daemon at bugs.koha-community.org
Thu Feb 16 21:19:22 CET 2012
http://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=7551
Bug #: 7551
Summary: Any logged-in OPAC user can renew items for others
using a properly constructed URL
Classification: Unclassified
Change sponsored?: ---
Product: Koha
Version: master
Platform: All
OS/Version: All
Status: NEW
Severity: blocker
Priority: P1 - high
Component: OPAC
AssignedTo: oleonard at myacpl.org
ReportedBy: oleonard at myacpl.org
QAContact: koha.sekjal at gmail.com
opac-renew.pl takes whatever borrowernumber you give it, so if you know the
borrowernumber and itemnumber of the patron and item you can renew items for
anyone from the OPAC. In my test all that was required was a valid OPAC login.
To reproduce:
1. Log in to the OPAC as any valid user.
2. Point the browser to the URL of opac-renew.pl:
http://koha.example.com/cgi-bin/koha/opac-renew.pl?borrowernumber=X&item=Y
Where X is a Koha patron and Y is the itemnumber of something checked out to X.
--
Configure bugmail: http://bugs.koha-community.org/bugzilla3/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are watching all bug changes.
More information about the Koha-bugs
mailing list