[Koha-bugs] [Bug 23108] New: staffaccess permission can be easily circumvented
bugzilla-daemon at bugs.koha-community.org
bugzilla-daemon at bugs.koha-community.org
Wed Jun 12 21:33:38 CEST 2019
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=23108
Bug ID: 23108
Summary: staffaccess permission can be easily circumvented
Change sponsored?: ---
Product: Koha
Version: 18.11
Hardware: All
OS: All
Status: NEW
Severity: normal
Priority: P5 - low
Component: Patrons
Assignee: koha-bugs at lists.koha-community.org
Reporter: andrew at bywatersolutions.com
QA Contact: testopia at bugs.koha-community.org
CC: gmcharlt at gmail.com, kyle.m.hall at gmail.com
Target Milestone: ---
A user without the staffaccess permission cannot change the permissions or
password for another user belonging to a patron category that is not type
Staff. This works as intended.
BUT: A user without the staffaccess permission can simply change a Staff user
to a new non-staff patron category and then make changes to permissions and/or
password.
To test:
- create patron category STAFF with type Staff
- create patron A and patron B in category STAFF
- create patron category ADULT with type Adult
- give patron A catalogue and borrowers permissions (but NOT staffaccess)
- log in as patron A
- verify that you cannot change permissions for patron B
- verify that you cannot change password for patron B
- change patron B to category ADULT
- change patron B's permission
- change patron B's password
--
You are receiving this mail because:
You are watching all bug changes.
You are the assignee for the bug.
More information about the Koha-bugs
mailing list