[Koha-bugs] [Bug 6676] Acquisition basket access control trivially by-passable
bugzilla-daemon at bugs.koha-community.org
bugzilla-daemon at bugs.koha-community.org
Tue Aug 9 12:57:06 CEST 2011
http://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=6676
Katrin Fischer <katrin.fischer at bsz-bw.de> changed:
What |Removed |Added
----------------------------------------------------------------------------
CC| |katrin.fischer at bsz-bw.de
Depends on| |6390
--- Comment #3 from Katrin Fischer <katrin.fischer at bsz-bw.de> 2011-08-09 10:57:06 UTC ---
I will try to explain the problem a bit differently:
At the moment staff members can only see their own baskets on the vendor page.
And they are supposed to only take a look at their own baskets - so changing
the url should not work for them.
The fact that staff members can only see their own paskets can be a problem
depending on the workflow in the specific library. I have filed bug 6390 for
this problem, but as the behaviour is intended we need to find a way to make it
configurable.
I think the best and most granular solution for this problem would be to add a
new permission 'Manage and view all baskets'. The other permissions could be
reworded too, to make it a bit more clear how they will work and affect what
you can do.
I think the problem is not guessing the url of another basket, it's that the
script should check if you are allowed to see the basket and change the display
appropriately.
So if you are not allowed to - show a message telling so.
If you are allowed - show the basket and its contents.
I think this would be consistent with how Koha works in other places and
therefore a better solution than randomizing parts of the URL.
--
Configure bugmail: http://bugs.koha-community.org/bugzilla3/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the QA Contact for the bug.
More information about the Koha-bugs
mailing list