[Bug 7550] New: Self checkout should limit display of patron image to logged-in patron
http://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=7550 Bug #: 7550 Summary: Self checkout should limit display of patron image to logged-in patron Classification: Unclassified Change sponsored?: --- Product: Koha Version: master Platform: All URL: /cgi-bin/koha/sco/sco-patron-image.pl?cardnumber=XXXX OS/Version: All Status: NEW Severity: normal Priority: P5 - low Component: Self checkout AssignedTo: koha.sekjal@gmail.com ReportedBy: oleonard@myacpl.org QAContact: koha.sekjal@gmail.com The patron image display in the self-checkout takes a GET parameter from the image source, so if someone copied the image location and substituted the barcode string they could browse through all patron images: <img alt="" src="/cgi-bin/koha/sco/sco-patron-image.pl?cardnumber=XXXX"> It would offer patrons better privacy to limit that request based on the currently-logged-in user. -- Configure bugmail: http://bugs.koha-community.org/bugzilla3/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are watching all bug changes.
http://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=7550 Owen Leonard <oleonard@myacpl.org> changed: What |Removed |Added ---------------------------------------------------------------------------- Assignee|koha.sekjal@gmail.com |koha-bugs@lists.koha-commun | |ity.org --- Comment #1 from Owen Leonard <oleonard@myacpl.org> --- This bug is still valid in master, the only difference being that the image is now called by borrowernumber instead of card number: <img alt="" src="/cgi-bin/koha/sco/sco-patron-image.pl?borrowernumber=XXXX"> -- You are receiving this mail because: You are the assignee for the bug. You are watching all bug changes.
http://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=7550 Jonathan Druart <jonathan.druart@biblibre.com> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |jonathan.druart@biblibre.co | |m --- Comment #2 from Jonathan Druart <jonathan.druart@biblibre.com> --- (In reply to Owen Leonard from comment #0)
The patron image display in the self-checkout takes a GET parameter from the image source, so if someone copied the image location and substituted the barcode string they could browse through all patron images:
<img alt="" src="/cgi-bin/koha/sco/sco-patron-image.pl?cardnumber=XXXX">
It would offer patrons better privacy to limit that request based on the currently-logged-in user.
It could only work if SelfCheckoutByLogin is set to 'username and password'. -- You are receiving this mail because: You are watching all bug changes. You are the assignee for the bug.
participants (1)
-
bugzilla-daemon@bugs.koha-community.org