http://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=7551 Bug #: 7551 Summary: Any logged-in OPAC user can renew items for others using a properly constructed URL Classification: Unclassified Change sponsored?: --- Product: Koha Version: master Platform: All OS/Version: All Status: NEW Severity: blocker Priority: P1 - high Component: OPAC AssignedTo: oleonard@myacpl.org ReportedBy: oleonard@myacpl.org QAContact: koha.sekjal@gmail.com opac-renew.pl takes whatever borrowernumber you give it, so if you know the borrowernumber and itemnumber of the patron and item you can renew items for anyone from the OPAC. In my test all that was required was a valid OPAC login. To reproduce: 1. Log in to the OPAC as any valid user. 2. Point the browser to the URL of opac-renew.pl: http://koha.example.com/cgi-bin/koha/opac-renew.pl?borrowernumber=X&item=Y Where X is a Koha patron and Y is the itemnumber of something checked out to X. -- Configure bugmail: http://bugs.koha-community.org/bugzilla3/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are watching all bug changes.