[Koha-bugs] [Bug 7550] Self checkout: limit display of patron image to logged-in patron
bugzilla-daemon at bugs.koha-community.org
bugzilla-daemon at bugs.koha-community.org
Wed Apr 19 23:32:52 CEST 2017
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=7550
--- Comment #18 from Marc Véron <veron at veron.ch> ---
Could it be that we talk about different things?
The initial comment was:
-----
The patron image display in the self-checkout takes a GET parameter from the
image source, so if someone copied the image location and substituted the
barcode string they could browse through all patron images:
<img alt="" src="/cgi-bin/koha/sco/sco-patron-image.pl?cardnumber=XXXX">
It would offer patrons better privacy to limit that request based on the
currently-logged-in user.
-----
(Note that meanwhile the param is borrowernumber).
So somebody who is logged in to SCO can browse through the images by
guessing/changing the borrowernumber:
http://192.168.1.31/cgi-bin/koha/sco/sco-patron-image.pl?borrowernumber=1
http://192.168.1.31/cgi-bin/koha/sco/sco-patron-image.pl?borrowernumber=2
With my two patches applied, a hash is added, based on the contents of the
image. The contents of the image is stored in the database (as blob)
The new link to display the image is something like:
http://192.168.1.31/cgi-bin/koha/sco/sco-patron-image.pl?borrowernumber=1&ck=a0923303852da8c10a383fb81f1a73d3
If you copy this addres and change borrowernumber e.g. to 2, the image won't
display.
To create a hash that fits to borrowernumber 2, you would need the image,
otherwise it is impossible.
So again: Are we talking about different things?
Are you talking about accessing the SCO screen by guessing the card number?
--
You are receiving this mail because:
You are watching all bug changes.
More information about the Koha-bugs
mailing list