[Koha-bugs] [Bug 23108] staffaccess permission can be easily circumvented
bugzilla-daemon at bugs.koha-community.org
bugzilla-daemon at bugs.koha-community.org
Thu Aug 1 18:37:40 CEST 2019
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=23108
Aguayo <azucena.aguayo at uvu.edu> changed:
What |Removed |Added
----------------------------------------------------------------------------
CC| |azucena.aguayo at uvu.edu
--- Comment #2 from Aguayo <azucena.aguayo at uvu.edu> ---
Hi Jonathan,
The ProtectSuperlibrarianPrivileges doesn't prevent the issue with either
option set.
If Patron A with only borrower permissions attempts to change the password
using the "Change Password" button for Patron B, Patron A gets an error that
they can't change the username/password of Patron B. Working as intended.
However, Patron A can use the "Edit" button and change Patron B from Staff
category to Adult category. Then after saving the account, Patron A can change
the username/password of Patron B.
At this point, Patron B is locked out of their account.
In my case, Patron A has the following rights
-(circulate)
-(catalogue)
-(borrowers)
Patron A doesn't have
-(permissions)
-(staffaccess)
(borrowers) is enough to allow the change from Staff to Adult. It seems that
the settings protecting the Staff accounts don't look at the Edit rights of
borrowers to prevent a category change.
And ProtectSuperlibrarianPrivileges only prevents password changes for the
Staff category.
--
You are receiving this mail because:
You are the assignee for the bug.
You are watching all bug changes.
More information about the Koha-bugs
mailing list