[Bug 6676] New: Acquisition basket access control trivially by-passable
http://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=6676 Bug #: 6676 Summary: Acquisition basket access control trivially by-passable Classification: Unclassified Change sponsored?: --- Product: Koha Version: rel_3_4 Platform: All OS/Version: All Status: NEW Severity: normal Priority: P5 Component: Acquisitions AssignedTo: henridamien@koha-fr.org ReportedBy: ef@math.uni-bonn.de QAContact: koha-bugs@lists.koha-community.org Currently, while booksellers.pl tries to restrict a user's ability to view baskets, that's trivially circumvented by simply altering the basketno CGI parameter to, e.g. baket.pl. I can think of three ways to close this security hole: 1. Check permissions in every script that deals with baskets. This would probably require an extension to C4::Auth. 2. Randomise basket numbers. 3. Add a random key to each basket that must be given as a CGI parameter (in addition to basketno) in order for a script to allow access to that basket. -- Configure bugmail: http://bugs.koha-community.org/bugzilla3/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are the QA Contact for the bug.
http://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=6676 --- Comment #1 from Mason James <mtj@kohaaloha.com> 2011-08-08 21:46:50 UTC --- Created attachment 4900 --> http://bugs.koha-community.org/bugzilla3/attachment.cgi?id=4900 . there are 3 user-permission settings to control access to acq-baskets • group_manage Manage orders & basketgroups • order_manage Manage orders & basket • order_receive Manage orders & basket have you tested accessing a basket, with all 3 settings 'off'? -- Configure bugmail: http://bugs.koha-community.org/bugzilla3/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are the QA Contact for the bug.
http://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=6676 --- Comment #2 from Edgar Fuß <ef@math.uni-bonn.de> 2011-08-09 09:52:28 UTC --- I was thinking of two members of staff (working at different branches) which both have been granted the rights to handle acquisitions. Nevertheless you may not want one branch's staff to tamper with the acquisitions of another branch. -- Configure bugmail: http://bugs.koha-community.org/bugzilla3/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are the QA Contact for the bug.
http://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=6676 Katrin Fischer <katrin.fischer@bsz-bw.de> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |katrin.fischer@bsz-bw.de Depends on| |6390 --- Comment #3 from Katrin Fischer <katrin.fischer@bsz-bw.de> 2011-08-09 10:57:06 UTC --- I will try to explain the problem a bit differently: At the moment staff members can only see their own baskets on the vendor page. And they are supposed to only take a look at their own baskets - so changing the url should not work for them. The fact that staff members can only see their own paskets can be a problem depending on the workflow in the specific library. I have filed bug 6390 for this problem, but as the behaviour is intended we need to find a way to make it configurable. I think the best and most granular solution for this problem would be to add a new permission 'Manage and view all baskets'. The other permissions could be reworded too, to make it a bit more clear how they will work and affect what you can do. I think the problem is not guessing the url of another basket, it's that the script should check if you are allowed to see the basket and change the display appropriately. So if you are not allowed to - show a message telling so. If you are allowed - show the basket and its contents. I think this would be consistent with how Koha works in other places and therefore a better solution than randomizing parts of the URL. -- Configure bugmail: http://bugs.koha-community.org/bugzilla3/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are the QA Contact for the bug.
http://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=6676 Bug 6676 depends on bug 6390, which changed state. Bug 6390 Summary: Basket only visible for librarian who created it http://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=6390 What |Old Value |New Value ---------------------------------------------------------------------------- Status|ASSIGNED |RESOLVED Resolution| |FIXED -- Configure bugmail: http://bugs.koha-community.org/bugzilla3/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are the QA Contact for the bug. You are watching all bug changes.
http://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=6676 --- Comment #4 from Owen Leonard <oleonard@myacpl.org> --- Is this bug valid in master? -- You are receiving this mail because: You are the QA Contact for the bug. You are the assignee for the bug. You are watching all bug changes.
http://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=6676 Katrin Fischer <katrin.fischer@bsz-bw.de> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|NEW |RESOLVED Resolution|--- |FIXED --- Comment #5 from Katrin Fischer <katrin.fischer@bsz-bw.de> --- Bug appears no longer valid on master. Without the order_manage and order_manage_all permissions the vendor search shows only the vendor names, no options to create or access baskets. Trying to reach a basket directly via URL fails - a login page is presented. Without oder_manage_all and AcqViewBaskets set to "created or managed by staff member" an error message is shown when trying to access another person's basket: You are not authorised to manage this basket. -- You are receiving this mail because: You are the QA Contact for the bug. You are the assignee for the bug. You are watching all bug changes.
participants (1)
-
bugzilla-daemon@bugs.koha-community.org