[Koha-bugs] [Bug 7550] New: Self checkout should limit display of patron image to logged-in patron

bugzilla-daemon at bugs.koha-community.org bugzilla-daemon at bugs.koha-community.org
Thu Feb 16 20:58:42 CET 2012


http://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=7550

             Bug #: 7550
           Summary: Self checkout should limit display of patron image to
                    logged-in patron
    Classification: Unclassified
 Change sponsored?: ---
           Product: Koha
           Version: master
          Platform: All
               URL: /cgi-bin/koha/sco/sco-patron-image.pl?cardnumber=XXXX
        OS/Version: All
            Status: NEW
          Severity: normal
          Priority: P5 - low
         Component: Self checkout
        AssignedTo: koha.sekjal at gmail.com
        ReportedBy: oleonard at myacpl.org
         QAContact: koha.sekjal at gmail.com


The patron image display in the self-checkout takes a GET parameter from the
image source, so if someone copied the image location and substituted the
barcode string they could browse through all patron images:

<img alt="" src="/cgi-bin/koha/sco/sco-patron-image.pl?cardnumber=XXXX">

It would offer patrons better privacy to limit that request based on the
currently-logged-in user.

-- 
Configure bugmail: http://bugs.koha-community.org/bugzilla3/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are watching all bug changes.


More information about the Koha-bugs mailing list