[Koha-bugs] [Bug 23516] New: Incorrect permissions on modrequest.pl could lead to unauthorized hold changes

Wed Aug 28 20:25:46 CEST 2019

https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=23516

            Bug ID: 23516
           Summary: Incorrect permissions on modrequest.pl could lead to
                    unauthorized hold changes
 Change sponsored?: ---
           Product: Koha
           Version: master
          Hardware: All
                OS: All
            Status: NEW
          Severity: major
          Priority: P5 - low
         Component: Hold requests
          Assignee: koha-bugs at lists.koha-community.org
          Reporter: oleonard at myacpl.org
        QA Contact: testopia at bugs.koha-community.org
                CC: gmcharlt at gmail.com

When you modify a hold's priority or pickup location via the list of holds on a
particular title (/cgi-bin/koha/reserve/request.pl?biblionumber=X), you're
submitting the data to modrequest.pl.

modrequest.pl requires only "catalogue" permission. It can usually only be
accessed via request.pl which requires "reserveforothers => 'place_holds'"
permission.

However, a correctly-constructed link could allow a user without
"modify_holds_priority" permission to modify a hold's priority:

/cgi-bin/koha/reserve/modrequest.pl?reserve_id=RESERVEID&borrowernumber=BORROWERNUMBER&biblionumber=BIBLIONUMBER&rank-request=PRIORITY&pickup=LIBRARY&itemnumber=&suspend_until=

-- 
You are receiving this mail because:
You are watching all bug changes.
You are the assignee for the bug.