[Koha-bugs] [Bug 7550] Self checkout: limit display of patron image to logged-in patron
bugzilla-daemon at bugs.koha-community.org
bugzilla-daemon at bugs.koha-community.org
Wed Apr 19 22:17:29 CEST 2017
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=7550
--- Comment #16 from Marc Véron <veron at veron.ch> ---
(In reply to Jonathan Druart from comment #15)
> (In reply to Marc Véron from comment #14)
> > (In reply to Jonathan Druart from comment #12)
> > > Created attachment 62400 [details] [review] [review] [review]
> > > [ALTERNATIVE-PATCH] Bug 7550: SCO - Restrict access of patron's image
> > >
> > > With this patch if SelfCheckoutByLogin is set to 'username and
> > > password', only the logged in user will be able to see the image linked
> > > to his/her logged in account.
> > > If set to "barcode" we generate a token but it can be easily generated.
> > > You should add a warning in the about page if
> > > SelfCheckoutByLogin="barcode" and ShowPatronImageInWebBasedSelfCheck="Show".
> >
> > Hmm, my patch worked with a hash generated with the image file (as
> > recommended in comment #7), and it did not leave a security hole with
> > SelfCheckoutByLogin="barcode"
>
> Yes it does, on the same way as my patch. If you know the cardnumber (easy
> to guess) of someone you can access his^Ctheir image.
$patron_image->imagefile is a blob, no? - Really easy to guess.
--
You are receiving this mail because:
You are watching all bug changes.
More information about the Koha-bugs
mailing list