[Bug 23108] New: staffaccess permission can be easily circumvented
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=23108 Bug ID: 23108 Summary: staffaccess permission can be easily circumvented Change sponsored?: --- Product: Koha Version: 18.11 Hardware: All OS: All Status: NEW Severity: normal Priority: P5 - low Component: Patrons Assignee: koha-bugs@lists.koha-community.org Reporter: andrew@bywatersolutions.com QA Contact: testopia@bugs.koha-community.org CC: gmcharlt@gmail.com, kyle.m.hall@gmail.com Target Milestone: --- A user without the staffaccess permission cannot change the permissions or password for another user belonging to a patron category that is not type Staff. This works as intended. BUT: A user without the staffaccess permission can simply change a Staff user to a new non-staff patron category and then make changes to permissions and/or password. To test: - create patron category STAFF with type Staff - create patron A and patron B in category STAFF - create patron category ADULT with type Adult - give patron A catalogue and borrowers permissions (but NOT staffaccess) - log in as patron A - verify that you cannot change permissions for patron B - verify that you cannot change password for patron B - change patron B to category ADULT - change patron B's permission - change patron B's password -- You are receiving this mail because: You are watching all bug changes. You are the assignee for the bug.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=23108 Andrew <andrew@bywatersolutions.com> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |nick@bywatersolutions.com -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=23108 Jonathan Druart <jonathan.druart@bugs.koha-community.org> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |jonathan.druart@bugs.koha-c | |ommunity.org --- Comment #1 from Jonathan Druart <jonathan.druart@bugs.koha-community.org> --- (In reply to Andrew from comment #0)
BUT: A user without the staffaccess permission can simply change a Staff user to a new non-staff patron category and then make changes to permissions and/or password.
Hi Andrew, are you aware of the pref ProtectSuperlibrarianPrivileges? With the pref turned on (default) what you describe should not be allowed. -- You are receiving this mail because: You are the assignee for the bug. You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=23108 Aguayo <azucena.aguayo@uvu.edu> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |azucena.aguayo@uvu.edu --- Comment #2 from Aguayo <azucena.aguayo@uvu.edu> --- Hi Jonathan, The ProtectSuperlibrarianPrivileges doesn't prevent the issue with either option set. If Patron A with only borrower permissions attempts to change the password using the "Change Password" button for Patron B, Patron A gets an error that they can't change the username/password of Patron B. Working as intended. However, Patron A can use the "Edit" button and change Patron B from Staff category to Adult category. Then after saving the account, Patron A can change the username/password of Patron B. At this point, Patron B is locked out of their account. In my case, Patron A has the following rights -(circulate) -(catalogue) -(borrowers) Patron A doesn't have -(permissions) -(staffaccess) (borrowers) is enough to allow the change from Staff to Adult. It seems that the settings protecting the Staff accounts don't look at the Edit rights of borrowers to prevent a category change. And ProtectSuperlibrarianPrivileges only prevents password changes for the Staff category. -- You are receiving this mail because: You are the assignee for the bug. You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=23108 Katrin Fischer <katrin.fischer@bsz-bw.de> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |katrin.fischer@bsz-bw.de --- Comment #3 from Katrin Fischer <katrin.fischer@bsz-bw.de> --- Hi Aguayo, I think it might be really hard to fix this - do you have a suggestion on how this could work? If it helps: The change to the category should be logged and in that case you will be able to find out who made the change that locked out the user. -- You are receiving this mail because: You are watching all bug changes. You are the assignee for the bug.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=23108 Katrin Fischer <katrin.fischer@bsz-bw.de> changed: What |Removed |Added ---------------------------------------------------------------------------- Version|18.11 |master -- You are receiving this mail because: You are watching all bug changes. You are the assignee for the bug.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=23108 --- Comment #4 from Andrew Fuerste-Henry <andrew@bywatersolutions.com> --- Verified that this is still an issue in Master. I suggest we fix this by making StaffAccess required in order to change the borrower category of a borrower in a staff category. This is complicated by the fact that patron category is included in batch patron modification, unlike everything currently covered by StaffAccess, so we'd have to figure out how we want Koha to behave and report there. -- You are receiving this mail because: You are the assignee for the bug. You are watching all bug changes.
participants (1)
-
bugzilla-daemon@bugs.koha-community.org