[Koha-bugs] [Bug 23108] New: staffaccess permission can be easily circumvented

[bugzilla-daemon at bugs.koha-community.org]

https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=23108

            Bug ID: 23108
           Summary: staffaccess permission can be easily circumvented
 Change sponsored?: ---
           Product: Koha
           Version: 18.11
          Hardware: All
                OS: All
            Status: NEW
          Severity: normal
          Priority: P5 - low
         Component: Patrons
          Assignee: koha-bugs at lists.koha-community.org
          Reporter: andrew at bywatersolutions.com
        QA Contact: testopia at bugs.koha-community.org
                CC: gmcharlt at gmail.com, kyle.m.hall at gmail.com
  Target Milestone: ---

A user without the staffaccess permission cannot change the permissions or
password for another user belonging to a patron category that is not type
Staff. This works as intended.

BUT: A user without the staffaccess permission can simply change a Staff user
to a new non-staff patron category and then make changes to permissions and/or
password.

To test:
- create patron category STAFF with type Staff
- create patron A and patron B in category STAFF
- create patron category ADULT with type Adult
- give patron A catalogue and borrowers permissions (but NOT staffaccess)
- log in as patron A
- verify that you cannot change permissions for patron B
- verify that you cannot change password for patron B
- change patron B to category ADULT
- change patron B's permission
- change patron B's password

-- 
You are receiving this mail because:
You are watching all bug changes.
You are the assignee for the bug.