[Koha-bugs] [Bug 22063] New: Prevent library staff from changing other people's password.
bugzilla-daemon at bugs.koha-community.org
bugzilla-daemon at bugs.koha-community.org
Thu Jan 3 11:56:35 CET 2019
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=22063
Bug ID: 22063
Summary: Prevent library staff from changing other people's
password.
Change sponsored?: ---
Product: Koha
Version: unspecified
Hardware: All
OS: All
Status: NEW
Severity: enhancement
Priority: P5 - low
Component: Authentication
Assignee: koha-bugs at lists.koha-community.org
Reporter: r.delahunty at arts.ac.uk
QA Contact: testopia at bugs.koha-community.org
CC: dpavlin at rot13.org
Target Milestone: ---
We use LDAP authentication where the userid is passed to the university's
authentication service and if a match is found the password must be the one the
staff member themselves has chosen for their university network account. Only
when the university's authentication service fails, or the user has no
university account (such as our 3rd party support staff) does the local
password (borrowers.password) get checked and used. The 'Add, modify and view
user Information' permission is astoundingly broad, allowing **any** user with
catalogue access to change anyone's password. It is possible for someone to
change the password of the superlibrarian, to claim access to all areas of
Koha. If the superlibrarian were not logged on, they would effectively be
locked out and lose control of the system.
--
You are receiving this mail because:
You are watching all bug changes.
You are the assignee for the bug.
More information about the Koha-bugs
mailing list