[Koha-bugs] [Bug 6676] Acquisition basket access control trivially by-passable
bugzilla-daemon at bugs.koha-community.org
bugzilla-daemon at bugs.koha-community.org
Tue Jan 6 19:03:11 CET 2015
http://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=6676
Katrin Fischer <katrin.fischer at bsz-bw.de> changed:
What |Removed |Added
----------------------------------------------------------------------------
Status|NEW |RESOLVED
Resolution|--- |FIXED
--- Comment #5 from Katrin Fischer <katrin.fischer at bsz-bw.de> ---
Bug appears no longer valid on master.
Without the order_manage and order_manage_all permissions the vendor search
shows only the vendor names, no options to create or access baskets.
Trying to reach a basket directly via URL fails - a login page is presented.
Without oder_manage_all and AcqViewBaskets set to "created or managed by staff
member" an error message is shown when trying to access another person's
basket:
You are not authorised to manage this basket.
--
You are receiving this mail because:
You are the QA Contact for the bug.
You are the assignee for the bug.
You are watching all bug changes.
More information about the Koha-bugs
mailing list