http://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=14323 Bug ID: 14323 Summary: Users who share userid and cardnumber cause Privacy Breach Change sponsored?: --- Product: Koha Version: 3.18 Hardware: All OS: All Status: NEW Severity: enhancement Priority: P5 - low Component: Authentication Assignee: gmcharlt@gmail.com Reporter: joy@bywatersolutions.com QA Contact: testopia@bugs.koha-community.org CC: dpavlin@rot13.org For Patron log in on the OPAC Koha looks at the userid first and tries to authenticate and then looks at the barcode to find a match. Problem: If you have user1 with a cardnumber that is the userid for user2 and they have the same password Scenario: User1: cardnumber: user1card userid: user1 pwd:changeme User2: cardnumber: user2card userid: user1card pwd:changeme This scenario is a tad unlikely but think about it in a migration perspective. If we have a library with 4 digit cardnumbers and we are making the userid the last four digits of their phone number and we assign a default password to everyone. There's the potential for failure When user1 logs in with his cardnumber s/he is taken to user2's account. Breach of patron privacy. -- You are receiving this mail because: You are watching all bug changes.