[Bug 11590] New: Librarian able to checkout item without setting branch first
http://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=11590 Bug ID: 11590 Summary: Librarian able to checkout item without setting branch first Change sponsored?: --- Product: Koha Version: master Hardware: All OS: All Status: NEW Severity: enhancement Priority: P5 - low Component: Circulation Assignee: koha-bugs@lists.koha-community.org Reporter: kyle@bywatersolutions.com QA Contact: testopia@bugs.koha-community.org CC: gmcharlt@gmail.com, kyle.m.hall@gmail.com It is possible to begin circulating items to a patron without first setting your logged in branch! To recreate: 1) From the "Search patrons" quick search, search for any patron 2) From this patron's details screen, click the "Check out" quick search and put in a valid patron cardnumber 3) You are now able to issue items to this patron without having set your logged in branch. Video example: http://screencast.com/t/xvzRb8zYf -- You are receiving this mail because: You are the assignee for the bug. You are watching all bug changes.
http://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=11590 Kyle M Hall <kyle@bywatersolutions.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Assignee|koha-bugs@lists.koha-commun |kyle@bywatersolutions.com |ity.org | -- You are receiving this mail because: You are the assignee for the bug. You are watching all bug changes.
http://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=11590 Kyle M Hall <kyle@bywatersolutions.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|NEW |Needs Signoff -- You are receiving this mail because: You are watching all bug changes.
http://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=11590 --- Comment #1 from Kyle M Hall <kyle@bywatersolutions.com> --- Created attachment 24595 --> http://bugs.koha-community.org/bugzilla3/attachment.cgi?id=24595&action=edit Bug 11590 - Librarian able to checkout item without setting branch first It is possible to begin circulating items to a patron without first setting your logged in branch! Test Plan: 1) From the "Search patrons" quick search, search for any patron 2) From this patron's details screen, click the "Check out" quick search and put in a valid patron cardnumber 3) You are now able to issue items to this patron without having set your logged in branch. 4) Apply this patch 5) Repeat steps 1-2, you should now be redirected to select a branch instead of being taken directly to circulation.pl -- You are receiving this mail because: You are watching all bug changes.
http://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=11590 Kyle M Hall <kyle@bywatersolutions.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Severity|enhancement |critical -- You are receiving this mail because: You are watching all bug changes.
http://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=11590 Robin Sheat <robin@catalyst.net.nz> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |robin@catalyst.net.nz --- Comment #2 from Robin Sheat <robin@catalyst.net.nz> --- The giant warning saying that you shouldn't do that indicates that you shouldn't do that. A better fix is is to make that warning a bit more compulsory, e.g. cutting off access to functions that aren't related to configuration/management if you're the database user. Maybe also make the warning bigger and having blinking marqueed text so it doesn't get ignored. -- You are receiving this mail because: You are watching all bug changes.
http://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=11590 Chris Cormack <chris@bigballofwax.co.nz> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|Needs Signoff |In Discussion CC| |chris@bigballofwax.co.nz --- Comment #3 from Chris Cormack <chris@bigballofwax.co.nz> --- (In reply to Robin Sheat from comment #2)
The giant warning saying that you shouldn't do that indicates that you shouldn't do that.
A better fix is is to make that warning a bit more compulsory, e.g. cutting off access to functions that aren't related to configuration/management if you're the database user.
Maybe also make the warning bigger and having blinking marqueed text so it doesn't get ignored.
Yep, what Robin is saying is that the real problem here is that you are logged in not as a real user but the db user. I agree that we should definitely not let the db user ever circulate. That would be a much better solution. Also, lots of other features should be blocked too. -- You are receiving this mail because: You are watching all bug changes.
http://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=11590 --- Comment #4 from Kyle M Hall <kyle@bywatersolutions.com> --- At this point I wonder why we still allow logins as the DB user. Wouldn't it be better to add a cli script to generate a first superlibrarian to log in with, and do away with db user logins altogether? (In reply to Chris Cormack from comment #3)
(In reply to Robin Sheat from comment #2)
The giant warning saying that you shouldn't do that indicates that you shouldn't do that.
A better fix is is to make that warning a bit more compulsory, e.g. cutting off access to functions that aren't related to configuration/management if you're the database user.
Maybe also make the warning bigger and having blinking marqueed text so it doesn't get ignored.
Yep, what Robin is saying is that the real problem here is that you are logged in not as a real user but the db user.
I agree that we should definitely not let the db user ever circulate. That would be a much better solution. Also, lots of other features should be blocked too.
-- You are receiving this mail because: You are watching all bug changes.
http://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=11590 --- Comment #5 from Robin Sheat <robin@catalyst.net.nz> --- (In reply to Kyle M Hall from comment #4)
At this point I wonder why we still allow logins as the DB user. Wouldn't it be better to add a cli script to generate a first superlibrarian to log in with, and do away with db user logins altogether?
Because it's really super handy as an administrator to be able to go in and tweak or check some things for someone without having to have your own account set up in their system. I do think that a large yellow warning ought to suffice, and this hasn't seemed to have come up nearly as often since that was implemented. -- You are receiving this mail because: You are watching all bug changes.
http://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=11590 --- Comment #6 from Galen Charlton <gmcharlt@gmail.com> --- (In reply to Robin Sheat from comment #5)
(In reply to Kyle M Hall from comment #4)
At this point I wonder why we still allow logins as the DB user. Wouldn't it be better to add a cli script to generate a first superlibrarian to log in with, and do away with db user logins altogether?
Because it's really super handy as an administrator to be able to go in and tweak or check some things for someone without having to have your own account set up in their system.
I do think that a large yellow warning ought to suffice, and this hasn't seemed to have come up nearly as often since that was implemented.
However, such issues have not been completely eliminated, either. It's not that big of a burden for folks who administer large numbers of Koha databases to simply create accounts from the CLI. I'm a +1 one for getting rid of the database user. If not that, at the very least we should stop exposing the database credentials that way and do something like putting in a new koha-conf.xml setting for username and (hashed!) password of a base superlibrarian "account". -- You are receiving this mail because: You are watching all bug changes.
http://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=11590 Jonathan Druart <jonathan.druart@bugs.koha-community.org> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|In Discussion |ASSIGNED Assignee|kyle@bywatersolutions.com |jonathan.druart@bugs.koha-c | |ommunity.org CC| |jonathan.druart@bugs.koha-c | |ommunity.org Summary|Librarian able to checkout |Restrict the actions for |item without setting branch |the DB user |first | --- Comment #7 from Jonathan Druart <jonathan.druart@bugs.koha-community.org> --- Since we already agreed on not to use the DB user to navigate into Koha, I am stealing this bug report to submit a patch to restrict the actions of this user. -- You are receiving this mail because: You are watching all bug changes.
http://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=11590 Jonathan Druart <jonathan.druart@bugs.koha-community.org> changed: What |Removed |Added ---------------------------------------------------------------------------- Severity|critical |major -- You are receiving this mail because: You are watching all bug changes.
http://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=11590 Jonathan Druart <jonathan.druart@bugs.koha-community.org> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|ASSIGNED |Needs Signoff -- You are receiving this mail because: You are watching all bug changes.
http://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=11590 Jonathan Druart <jonathan.druart@bugs.koha-community.org> changed: What |Removed |Added ---------------------------------------------------------------------------- Attachment #24595|0 |1 is obsolete| | --- Comment #8 from Jonathan Druart <jonathan.druart@bugs.koha-community.org> --- Created attachment 40963 --> http://bugs.koha-community.org/bugzilla3/attachment.cgi?id=40963&action=edit Bug 11590: Restrict the actions for the DB user The DB user (the one defined in the KOHA_CONF file, section config) should not be used to navigate into Koha. It has been decided to let it actif to create the first user easily. This patch suggests to restrict as much as possible the actions for this user. If logged with this user, the administrator will only be able to create the first user and that's all. Automatically the new user created will be a superlibrarian. Test plan: 1/ Use the DB user to log you in into Koha. 2/ Make sure you are just able to go to the about and help pages. On the main page, you are pleased to create an user. 3/ Click on the link to create a new user 4/ Fill the form and save 5/ You are redirected to the loggin page 6/ Use the new user credentials and confirm it has been created as a superlibrarian. -- You are receiving this mail because: You are watching all bug changes.
http://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=11590 --- Comment #9 from Robin Sheat <robin@catalyst.net.nz> --- It'd be nice to have a koha-conf.xml or environment override. In dev environments, I'm grabbing database and loading them in, and and prod environments I'm often needing to go in and get to the settings without having a login handy. (Personally, I think that it's trying to solve a problem that doesn't need to be solved, but that's just me.) -- You are receiving this mail because: You are watching all bug changes.
http://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=11590 Robin Sheat <robin@catalyst.net.nz> changed: What |Removed |Added ---------------------------------------------------------------------------- Severity|major |enhancement --- Comment #10 from Robin Sheat <robin@catalyst.net.nz> --- ...and there is no circumstance where this is major importance. -- You are receiving this mail because: You are watching all bug changes.
http://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=11590 Marcel de Rooy <m.de.rooy@rijksmuseum.nl> changed: What |Removed |Added ---------------------------------------------------------------------------- See Also| |http://bugs.koha-community. | |org/bugzilla3/show_bug.cgi? | |id=9164 CC| |m.de.rooy@rijksmuseum.nl -- You are receiving this mail because: You are watching all bug changes.
http://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=11590 Zeno Tajoli <z.tajoli@cineca.it> changed: What |Removed |Added ---------------------------------------------------------------------------- Patch complexity|--- |Small patch -- You are receiving this mail because: You are watching all bug changes.
http://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=11590 Jonathan Druart <jonathan.druart@bugs.koha-community.org> changed: What |Removed |Added ---------------------------------------------------------------------------- Attachment #40963|0 |1 is obsolete| | -- You are receiving this mail because: You are watching all bug changes.
http://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=11590 Jonathan Druart <jonathan.druart@bugs.koha-community.org> changed: What |Removed |Added ---------------------------------------------------------------------------- Assignee|jonathan.druart@bugs.koha-c |koha-bugs@lists.koha-commun |ommunity.org |ity.org Status|Needs Signoff |ASSIGNED -- You are receiving this mail because: You are the assignee for the bug. You are watching all bug changes.
http://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=11590 Jonathan Druart <jonathan.druart@bugs.koha-community.org> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|ASSIGNED |NEW -- You are receiving this mail because: You are the assignee for the bug. You are watching all bug changes.
participants (1)
-
bugzilla-daemon@bugs.koha-community.org