http://bugs.koha.org/cgi-bin/bugzilla3/show_bug.cgi?id=2426 Joe Atzberger <joe.atzberger@liblime.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Severity|normal |major --- Comment #4 from Joe Atzberger <joe.atzberger@liblime.com> 2009-05-29 14:54:46 --- So I now consider the main problem to be that IndepdendantBranches is essentially broken with respect to the way it "secures" the Set link. As a granular permission, catalogue=>setbranch would make sense, but that wouldn't fix it for non-granular Indy branches, since they would no longer be able to control the appearance of that link separately (everyone w/ "catalogue" would see it). In reality that is all they are controlling, the appearance of the link. The user can still go to selectbranches.pl and set a new branch (they just don't see the link). So that represents a security failure. I'm upgrading the severity accordingly. I'm open to suggestions about the best way to fix it, but using a different top level permission (i.e. "management") cannot be it. That would split the security model for the page, and therefore for the links to the page, as currently seen. I think selectbranchprinter.pl and circulation.pl need to be refactored. The branch-setting has to happen at selectbranchprinter and NOT be a post back to circulation.pl. After that is successful, it can redirect to circulation (or HTTP_REFERER). -- Configure bugmail: http://bugs.koha.org/cgi-bin/bugzilla3/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are watching all bug changes.