[Koha-bugs] [Bug 36076] paycollect.tt is missing permission checks for manual credit and invoice
bugzilla-daemon at bugs.koha-community.org
bugzilla-daemon at bugs.koha-community.org
Sun Mar 3 23:37:40 CET 2024
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=36076
Victor Grousset/tuxayo <victor at tuxayo.net> changed:
What |Removed |Added
----------------------------------------------------------------------------
Severity|major |normal
--- Comment #6 from Victor Grousset/tuxayo <victor at tuxayo.net> ---
(In reply to Fridolin Somers from comment #2)
> I set major because it is a permission leak
It's just displaying links which don't work because the server checks the
permission before sending the page.
And even if it did work, the post request for invoices and credit are also
protected server side. (checked by loading the form, removing the permission
and trying to make a manual invoice/credit)
--
You are receiving this mail because:
You are watching all bug changes.
More information about the Koha-bugs
mailing list