[Bug 7550] Self checkout: limit display of patron image to logged-in patron
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=7550 Owen Leonard <oleonard@myacpl.org> changed: What |Removed |Added ---------------------------------------------------------------------------- Attachment #62272|0 |1 is obsolete| | --- Comment #6 from Owen Leonard <oleonard@myacpl.org> --- Created attachment 62289 --> https://bugs.koha-community.org/bugzilla3/attachment.cgi?id=62289&action=edit [SIGNED-OFF] Bug 7550 - Self checkout: limit display of patron image to logged-in patron The patron image display in the self-checkout takes a GET parameter from the image source, so if someone copied the image location and substituted the barcode string they could browse through all patron images: <img alt="" src="/cgi-bin/koha/sco/sco-patron-image.pl?borrowernumber=XXXX"> To reproduce: - Enable self checkout, go to [Your Server]//cgi-bin/koha/sco/sco-main.pl - Log in with a user 'A' who has a patron image - Copy the address of the patron image into an other browser window - Change the borrowernumber to on of an other user 'B' having a patron image - Verify that the patron image is displayed To test: - Apply patch, restart plack / memcached - Try to reproduce - Verify that you can no longer display the image of user 'B' by tweaking the image address Signed-off-by: Owen Leonard <oleonard@myacpl.org> https://bugs.koha-community.org/show_bug.cgi?id=7750 -- You are receiving this mail because: You are watching all bug changes.
participants (1)
-
bugzilla-daemon@bugs.koha-community.org