http://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=6676 Bug #: 6676 Summary: Acquisition basket access control trivially by-passable Classification: Unclassified Change sponsored?: --- Product: Koha Version: rel_3_4 Platform: All OS/Version: All Status: NEW Severity: normal Priority: P5 Component: Acquisitions AssignedTo: henridamien@koha-fr.org ReportedBy: ef@math.uni-bonn.de QAContact: koha-bugs@lists.koha-community.org Currently, while booksellers.pl tries to restrict a user's ability to view baskets, that's trivially circumvented by simply altering the basketno CGI parameter to, e.g. baket.pl. I can think of three ways to close this security hole: 1. Check permissions in every script that deals with baskets. This would probably require an extension to C4::Auth. 2. Randomise basket numbers. 3. Add a random key to each basket that must be given as a CGI parameter (in addition to basketno) in order for a script to allow access to that basket. -- Configure bugmail: http://bugs.koha-community.org/bugzilla3/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are the QA Contact for the bug.