https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=23108 Bug ID: 23108 Summary: staffaccess permission can be easily circumvented Change sponsored?: --- Product: Koha Version: 18.11 Hardware: All OS: All Status: NEW Severity: normal Priority: P5 - low Component: Patrons Assignee: koha-bugs@lists.koha-community.org Reporter: andrew@bywatersolutions.com QA Contact: testopia@bugs.koha-community.org CC: gmcharlt@gmail.com, kyle.m.hall@gmail.com Target Milestone: --- A user without the staffaccess permission cannot change the permissions or password for another user belonging to a patron category that is not type Staff. This works as intended. BUT: A user without the staffaccess permission can simply change a Staff user to a new non-staff patron category and then make changes to permissions and/or password. To test: - create patron category STAFF with type Staff - create patron A and patron B in category STAFF - create patron category ADULT with type Adult - give patron A catalogue and borrowers permissions (but NOT staffaccess) - log in as patron A - verify that you cannot change permissions for patron B - verify that you cannot change password for patron B - change patron B to category ADULT - change patron B's permission - change patron B's password -- You are receiving this mail because: You are watching all bug changes. You are the assignee for the bug.