[Bug 23516] New: Incorrect permissions on modrequest.pl could lead to unauthorized hold changes
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=23516 Bug ID: 23516 Summary: Incorrect permissions on modrequest.pl could lead to unauthorized hold changes Change sponsored?: --- Product: Koha Version: master Hardware: All OS: All Status: NEW Severity: major Priority: P5 - low Component: Hold requests Assignee: koha-bugs@lists.koha-community.org Reporter: oleonard@myacpl.org QA Contact: testopia@bugs.koha-community.org CC: gmcharlt@gmail.com When you modify a hold's priority or pickup location via the list of holds on a particular title (/cgi-bin/koha/reserve/request.pl?biblionumber=X), you're submitting the data to modrequest.pl. modrequest.pl requires only "catalogue" permission. It can usually only be accessed via request.pl which requires "reserveforothers => 'place_holds'" permission. However, a correctly-constructed link could allow a user without "modify_holds_priority" permission to modify a hold's priority: /cgi-bin/koha/reserve/modrequest.pl?reserve_id=RESERVEID&borrowernumber=BORROWERNUMBER&biblionumber=BIBLIONUMBER&rank-request=PRIORITY&pickup=LIBRARY&itemnumber=&suspend_until= -- You are receiving this mail because: You are watching all bug changes. You are the assignee for the bug.
participants (1)
-
bugzilla-daemon@bugs.koha-community.org