[Koha-bugs] [Bug 7550] Self checkout: limit display of patron image to logged-in patron

[bugzilla-daemon at bugs.koha-community.org]

https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=7550

--- Comment #26 from Marc Véron <veron at veron.ch> ---
(In reply to Marcel de Rooy from comment #24)
> (In reply to Marc Véron from comment #14)
> > Hmm, my patch worked with a hash generated with the image file (as
> > recommended in comment #7), and it did not leave a security hole with
> > SelfCheckoutByLogin="barcode"
> 
> Looks to me that this option is a security hole on itself?
> If I guess barcodes, I can still see all images? If I come on sco-main, I
> will automatically get the image from the img tag as well? Or do I
> misunderstand the discussion here?

We have two situations:

Situation # 1

- SCO is up and running. A user logs in with what ever credentioals necessary,
depending on SelfCheckoutByLogin 
- User copies the image link into the address bar of a new browser window. 
  It is something like:
  .../cgi-bin/koha/sco/sco-patron-image.pl?borrowernumber=XXXX
- User changes the borrowernumber
- Image of an other user is displayed (should not be possible)

That's what this bug is about. Problem is solved by adding an unguessable token
to the link.

Problem #2

- SCO is up and running. SelfCheckOut is set to barcode (i.e. card number)
- Someboy comes along the SCO station and tries to log in by guessing card
numbers. If the numbering pattern is simple, there is a good chance that they
can break in.

That's what this bug is not about. IMO problem #2 should be discussed and
addressed in a new bug.

-- 
You are receiving this mail because:
You are watching all bug changes.