Restricting access to acquisition baskets
Currently, while booksellers.pl tries to restrict a user's ability to view baskets, that's easily circumvented simply by altering the basketno CGI parameter to, e.g. baket.pl. I can think of three ways to close this security hole: 1. Check permissions in every script that deals with baskets. This would probably require an addition to C4::Auth. 2. Randomise basket numbers. 3. Add a random key to each basket that must be given as a CGI parameter (in addition to basketno) in order for a script to allow access to that basket. Please note that for my own part, I'm unaffected by this problem. I have only a single branch and allow access to all that branches' baskets anyway. Nevertheless, I would give implementing a fix a try if there is consensus on which way to go.
On 2011-08-3, at 4:12 AM, Edgar Fuß wrote:
Currently, while booksellers.pl tries to restrict a user's ability to view baskets, that's easily circumvented simply by altering the basketno CGI parameter to, e.g. baket.pl.
hmmm, perhaps log this issue in bugzilla? -> http://bugs.koha-community.org/bugzilla3/
On 2011-08-7, at 11:07 PM, Edgar Fuß wrote:
hmmm, perhaps log this issue in bugzilla? I just filed 6676 for this.
cool, thanx for that :)
However, I was used to discussing such issues on a developer list first.
i think this was discussed on the koha-devel list, about a week ago...
On 2011-08-3, at 4:12 AM, Edgar Fuß wrote:
Currently, while booksellers.pl tries to restrict a user's ability to view baskets, that's easily circumvented simply by altering the basketno CGI parameter to, e.g. baket.pl.
I can think of three ways to close this security hole:
1. Check permissions in every script that deals with baskets. This would probably require an addition to C4::Auth. 2. Randomise basket numbers. 3. Add a random key to each basket that must be given as a CGI parameter (in addition to basketno) in order for a script to allow access to that basket.
Please note that for my own part, I'm unaffected by this problem. I have only a single branch and allow access to all that branches' baskets anyway. Nevertheless, I would give implementing a fix a try if there is consensus on which way to go.
there are 3 user-permission settings to control access to acq-baskets • group_manage Manage orders & basketgroups • order_manage Manage orders & basket • order_receive Manage orders & basket have you tested accessing a basket, with all 3 settings 'off'?
have you tested accessing a basket, with all 3 settings 'off'? No, of course I haven't. The other member of staff surely ought to have one of these permissions.
I'm talking about having two members of staff (let's call them A and B) which both have been granted the rights to handle acquisitions. You may further imagine A and B working at different branches. You probably don't want one branches' staff to access another branches' acquisitions. Now A creates an order, say that's basket number 42. In acqui/booksellers.pl, there is code to prevent B from being shown basket 42 (currently, that code is broken, but that's another issue). But B can simply click on one of his own baskets (say 41), and in the URL being redirected to, edit ``basketno=41'' to ``basketno=42''. Voila, he can access A's basket he's supposedly not to do.
participants (2)
-
Edgar Fuß -
Mason James