[Koha-bugs] [Bug 2426] Management Permissions Deprecated

bugzilla-daemon at liblime.com bugzilla-daemon at liblime.com
Fri May 29 16:54:47 CEST 2009


http://bugs.koha.org/cgi-bin/bugzilla3/show_bug.cgi?id=2426


Joe Atzberger <joe.atzberger at liblime.com> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
           Severity|normal                      |major




--- Comment #4 from Joe Atzberger <joe.atzberger at liblime.com>  2009-05-29 14:54:46 ---
So I now consider the main problem to be that IndepdendantBranches is
essentially broken with respect to the way it "secures" the Set link.  

As a granular permission, catalogue=>setbranch would make sense, but that
wouldn't fix it for non-granular Indy branches, since they would no longer be
able to control the appearance of that link separately (everyone w/ "catalogue"
would see it).  

In reality that is all they are controlling, the appearance of the link.  The
user can still go to selectbranches.pl and set a new branch (they just don't
see the link).  So that represents a security failure.  I'm upgrading the
severity accordingly.   

I'm open to suggestions about the best way to fix it, but using a different top
level permission (i.e. "management") cannot be it.  That would split the
security model for the page, and therefore for the links to the page, as
currently seen.

I think selectbranchprinter.pl and circulation.pl need to be refactored.  The
branch-setting has to happen at selectbranchprinter and NOT be a post back to
circulation.pl.  After that is successful, it can redirect to circulation (or
HTTP_REFERER).


-- 
Configure bugmail: http://bugs.koha.org/cgi-bin/bugzilla3/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are watching all bug changes.



More information about the Koha-bugs mailing list