[Bug 10799] New: Able to change logged in user
http://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=10799 Bug ID: 10799 Summary: Able to change logged in user Change sponsored?: --- Product: Koha Version: unspecified Hardware: All OS: All Status: NEW Severity: critical Priority: P5 - low Component: Self checkout Assignee: koha-bugs@lists.koha-community.org Reporter: mtompset@hotmail.com QA Contact: testopia@bugs.koha-community.org While testing for oleonard at responsive.mykoha.co.nz, I found these steps duplicated a weird glitch. 1) go to responsive.mykoha.co.nz 2) log in The user is member, member 3) click the self checkout link 4) log in 5) click the browser back button twice 6) refresh page The user is now staff Similarly, 1) go to responsive.mykoha.co.nz 2) click the self checkout link 3) log in 4) click the finish button 5) change the address back to the http://responsive.mykoha.co.nz/ 6) refresh page The user is now staff The log in used was the member, member one, and not staff. -- You are receiving this mail because: You are the assignee for the bug. You are watching all bug changes.
http://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=10799 --- Comment #1 from M. Tompsett <mtompset@hotmail.com> --- To trigger the problem in firefox for method one: 1) go to responsive.mykoha.co.nz 2) log in The user is member, member 3) copy the self checkout link 4) search for a book 5) view the details 6) paste the self checkout link 7) log in 8) click the browser back button twice 9) refresh page. Without actually being on a page past the log in, Firefox would resend the data and avoid this bug. -- You are receiving this mail because: You are the assignee for the bug. You are watching all bug changes.
http://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=10799 Owen Leonard <oleonard@myacpl.org> changed: What |Removed |Added ---------------------------------------------------------------------------- Version|unspecified |master --- Comment #2 from Owen Leonard <oleonard@myacpl.org> --- Note that this problem isn't a problem just with the demo system linked above, but with any system running master (or before, probably). In order to reproduce the problem you have to have the AutoSelfCheckAllowed preference set to "allow the web-based self checkout system to automatically login with this staff login..." and have staff login credentials saved. So it's not exactly the case that one is able to change the logged in user--the staff user must be logged in for the self checkout to work. It's more a question of whether there should be a built-in way to prevent the self checkout user from accessing a regular OPAC session. -- You are receiving this mail because: You are the assignee for the bug. You are watching all bug changes.
http://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=10799 --- Comment #3 from M. Tompsett <mtompset@hotmail.com> --- Unless you lock your browser down, someone is likely to click back or paste things into the address bar. The self-checkout isn't really self-checkout, it is use this staff user for checkout. Sort of like a seteuid system implemented as a setuid instead of actually implementing a seteuid system. -- You are receiving this mail because: You are the assignee for the bug. You are watching all bug changes.
http://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=10799 M. Tompsett <mtompset@hotmail.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Summary|Able to change logged in |Able to become |user |self-checkout staff user in | |OPAC -- You are receiving this mail because: You are the assignee for the bug. You are watching all bug changes.
participants (1)
-
bugzilla-daemon@bugs.koha-community.org