Hello world, Kyle has found (without searching) a big security hole in fine management. Koha checks that a user can access a page when calling get_template_and_user sub. That's why this sub should always be at the beginning of every page. right, BUT : on pay.pl, we record the payement before checking the template & user permission. wow... big bug for libraries that uses fines, as anyone that can access librarian interface can "pay" fines in koha without problem... This bug should affect every version I'm afraid (2.2, dev_week, tumer, rel_3_0) I'll fix 2.2 & rel_3_0 asap (toins 1st job on monday probably ;-) ). It probably means just moving the get_template_and_user at the beginning of the script. -- Paul POULAIN et Henri Damien LAURENT Consultants indépendants en logiciels libres et bibliothéconomie (http://www.koha-fr.org) Tel : 04 91 31 45 19
participants (1)
-
Paul POULAIN