[Koha-bugs] [Bug 34306] New: Able to access tools without permission
bugzilla-daemon at bugs.koha-community.org
bugzilla-daemon at bugs.koha-community.org
Tue Jul 18 20:55:24 CEST 2023
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=34306
Bug ID: 34306
Summary: Able to access tools without permission
Change sponsored?: ---
Product: Koha
Version: master
Hardware: All
OS: All
Status: NEW
Severity: enhancement
Priority: P5 - low
Component: Tools
Assignee: koha-bugs at lists.koha-community.org
Reporter: cbrannon at cdalibrary.org
QA Contact: testopia at bugs.koha-community.org
In an attempt to work around bug 34288 until it is available to 22.11, I was
checking to see if going straight to /cgi-bin/koha/labels/spinelabel-home.pl
would be a reasonable workaround. Indeed, it does work, but it works for
anyone that can get to the link, not just people that have permission to the
tool. It does not seem that this tool is managed by the label_creator
permission.
Then I thought, maybe this permission only manages
/cgi-bin/koha/labels/label-home.pl, so I tested that. But nope. I can bypass
permissions and get to that page. Aren't permissions supposed to prevent you
from getting to the tools at all? Anyone can easily share urls to pages. If
all the permissions are doing is allowing a tool link to show, that is not much
of a permission. I'm a bit concerned about this.
--
You are receiving this mail because:
You are the assignee for the bug.
You are watching all bug changes.
More information about the Koha-bugs
mailing list