[Bug 7550] Self checkout: limit display of patron image to logged-in patron
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=7550 --- Comment #26 from Marc Véron <veron@veron.ch> --- (In reply to Marcel de Rooy from comment #24)
(In reply to Marc Véron from comment #14)
Hmm, my patch worked with a hash generated with the image file (as recommended in comment #7), and it did not leave a security hole with SelfCheckoutByLogin="barcode"
Looks to me that this option is a security hole on itself? If I guess barcodes, I can still see all images? If I come on sco-main, I will automatically get the image from the img tag as well? Or do I misunderstand the discussion here?
We have two situations: Situation # 1 - SCO is up and running. A user logs in with what ever credentioals necessary, depending on SelfCheckoutByLogin - User copies the image link into the address bar of a new browser window. It is something like: .../cgi-bin/koha/sco/sco-patron-image.pl?borrowernumber=XXXX - User changes the borrowernumber - Image of an other user is displayed (should not be possible) That's what this bug is about. Problem is solved by adding an unguessable token to the link. Problem #2 - SCO is up and running. SelfCheckOut is set to barcode (i.e. card number) - Someboy comes along the SCO station and tries to log in by guessing card numbers. If the numbering pattern is simple, there is a good chance that they can break in. That's what this bug is not about. IMO problem #2 should be discussed and addressed in a new bug. -- You are receiving this mail because: You are watching all bug changes.
participants (1)
-
bugzilla-daemon@bugs.koha-community.org