http://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=11911 Bug ID: 11911 Summary: purchase suggestions permission can be bypassed Change sponsored?: --- Product: Koha Version: 3.12 Hardware: All OS: All Status: NEW Severity: major Priority: P5 - low Component: Patrons Assignee: koha-bugs@lists.koha-community.org Reporter: nengard@gmail.com QA Contact: testopia@bugs.koha-community.org CC: gmcharlt@gmail.com, kyle.m.hall@gmail.com If I don’t give an account a permission to the purchase suggestions, but they have a copy of the link, such as http://mysite/cgi-bin/koha/suggestion/suggestion.pl?displayby=STATUS&bra..., they can go straight into the feature without permission. Shouldn’t the suggestion.pl be checking permissions upon loading? Do most pages function in this manner? -- You are receiving this mail because: You are the assignee for the bug. You are watching all bug changes.