[Koha-bugs] [Bug 34306] Update spine label tool to use more appropriate permissions
bugzilla-daemon at bugs.koha-community.org
bugzilla-daemon at bugs.koha-community.org
Thu Jul 20 01:21:03 CEST 2023
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=34306
--- Comment #6 from David Cook <dcook at prosentient.com.au> ---
(In reply to Christopher Brannon from comment #5)
> David, you stated "There isn't anonymous access to
> /cgi-bin/koha/labels/spinelabel-home.pl. That page does require permission
> to access it."
>
> I cannot confirm your statement. I've tested this against a patron that
> does not have the label_creator permission, and she was able to access both
> tools. Another library also confirmed this. Please tell me where we are
> missing this. Is there another permission that might be allowing access to
> these tools somehow?
"Anonymous access" means unauthenticated access. That is, anyone on the
Internet trying to access it. The original title made it sound like anyone
could access the tool just by visiting the URL, which isn't the case.
Currently, "/cgi-bin/koha/labels/spinelabel-home.pl" requires the "catalogue"
permission. Counterintuitively, the "catalogue" permission is the permission
that generally provides access to the staff interface. That's why any of your
authenticated staff users with staff interface permission will be able to view
and use that tool.
It doesn't have serious security implications, but it is suboptimal.
(In reply to Christopher Brannon from comment #5)
> I would rather the permission label_creator
> permission remained the permission to this tool.
It's not currently the permission for this tool. That's why I talked about
changing it to that permission.
--
You are receiving this mail because:
You are watching all bug changes.
You are the assignee for the bug.
More information about the Koha-bugs
mailing list