[Koha-bugs] [Bug 7551] Any logged-in OPAC user can renew items for others using a properly constructed URL

bugzilla-daemon at bugs.koha-community.org bugzilla-daemon at bugs.koha-community.org
Thu Feb 16 22:23:56 CET 2012


http://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=7551

Ian Walls <koha.sekjal at gmail.com> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
             Status|Signed Off                  |Passed QA

--- Comment #3 from Ian Walls <koha.sekjal at gmail.com> 2012-02-16 21:23:56 UTC ---
Okay, this line has been in here since Koha 3.0, when the built-in SCO used to
use opac-renew to do it's renewals.  Hence the need to use a different
borrowernumber than your own.  Now that SCO handles it's own renewals, this is
just a security risk.  Marking Passed QA.

Follow up patch can be written to update opac-user.tt to no longer transmit the
borrowernumber, but that's just cleanup.

-- 
Configure bugmail: http://bugs.koha-community.org/bugzilla3/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are watching all bug changes.


More information about the Koha-bugs mailing list