[Koha-devel] Restricting access to acquisition baskets
Mason James
mtj at kohaaloha.com
Mon Aug 8 23:32:39 CEST 2011
On 2011-08-3, at 4:12 AM, Edgar Fuß wrote:
> Currently, while booksellers.pl tries to restrict a user's ability to view baskets, that's easily circumvented simply by altering the basketno CGI parameter to, e.g. baket.pl.
>
> I can think of three ways to close this security hole:
>
> 1. Check permissions in every script that deals with baskets. This would probably require an addition to C4::Auth.
> 2. Randomise basket numbers.
> 3. Add a random key to each basket that must be given as a CGI parameter (in addition to basketno) in order for a script to allow access to that basket.
>
> Please note that for my own part, I'm unaffected by this problem. I have only a single branch and allow access to all that branches' baskets anyway.
> Nevertheless, I would give implementing a fix a try if there is consensus on which way to go.
there are 3 user-permission settings to control access to acq-baskets
• group_manage Manage orders & basketgroups
• order_manage Manage orders & basket
• order_receive Manage orders & basket
have you tested accessing a basket, with all 3 settings 'off'?
More information about the Koha-devel
mailing list