[Bug 9569] New: IndependantBranches preference appears to override AutoLocation security feature
http://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=9569 Bug ID: 9569 Summary: IndependantBranches preference appears to override AutoLocation security feature Classification: Unclassified Change sponsored?: --- Product: Koha Version: 3.10 Hardware: All OS: All Status: NEW Severity: normal Priority: P5 - low Component: System Administration Assignee: koha-bugs@lists.koha-community.org Reporter: fred.pierre@smfpl.org CC: gmcharlt@gmail.com Setting system preference "IndependantBranches" [sic] to "Don't prevent" staff from modifying objects (holds, items, patrons, etc.) belonging to other libraries appears to negate the AutoLocation ip address range, allowing any remote location to log in with proper credentials. The default or zero value appears to be "Don't Prevent" Selecting "Prevent" secures log in to our library's ip address range, but prevents checkout of some items, not sure why, as the items appear to be coded with our branch. Most items continue to checkout normally. -- You are receiving this mail because: You are the assignee for the bug. You are watching all bug changes.
http://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=9569 Fred P <fred.pierre@smfpl.org> changed: What |Removed |Added ---------------------------------------------------------------------------- Summary|IndependantBranches |RESOLVED: |preference appears to |IndependantBranches |override AutoLocation |preference appears to |security feature |override AutoLocation | |security feature --- Comment #1 from Fred P <fred.pierre@smfpl.org> --- I misunderstood the conditions. We were using an external facing IP address range and sending our requests out of network before they would come back in. Changing to an internal facing IP address range 192.168.* stopped remote access. The IndependantBranches setting "Prevent" works well on our master branch test servers, but fails on our v3.10 server. Selecting "Prevent" on the v3.10 production server disables everyone's ability to log in. The problem is not happening on my v3.11 servers, so this bug may be considered CLOSED. -- You are receiving this mail because: You are the assignee for the bug. You are watching all bug changes.
http://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=9569 --- Comment #2 from Fred P <fred.pierre@smfpl.org> --- My mistake again. This problem is still active. This line from Auth.pm yields the result that you must set AutoLocation to "Require" AND IndependantBranches to "Prevent" to secure your Koha. Auth.pm around line 834: ----------------------------------------------- if (C4:Context->boolean_preference('IndependantBranches') && C4::Context->boolean_preference('AutoLocation')){ # we have to check they are coming from the right ip range ----------------------------------------------- The other three combinations of these two settings result in a system that anyone can remotely access and hack, because we don't limit password attempts. -- You are receiving this mail because: You are the assignee for the bug. You are watching all bug changes.
http://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=9569 Owen Leonard <oleonard@myacpl.org> changed: What |Removed |Added ---------------------------------------------------------------------------- Summary|RESOLVED: |IndependantBranches |IndependantBranches |preference appears to |preference appears to |override AutoLocation |override AutoLocation |security feature |security feature | -- You are receiving this mail because: You are the assignee for the bug. You are watching all bug changes.
http://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=9569 Katrin Fischer <katrin.fischer@bsz-bw.de> changed: What |Removed |Added ---------------------------------------------------------------------------- Component|System Administration |Authentication Assignee|koha-bugs@lists.koha-commun |gmcharlt@gmail.com |ity.org | CC| |dpavlin@rot13.org, | |katrin.fischer@bsz-bw.de, | |martin.renvoize@ptfs-europe | |.com --- Comment #3 from Katrin Fischer <katrin.fischer@bsz-bw.de> --- Martin, could you take a look at this? -- You are receiving this mail because: You are watching all bug changes. You are the assignee for the bug.
participants (1)
-
bugzilla-daemon@bugs.koha-community.org