There is a security issue in the self checkout module.
The user used to check items out must have the circulate =>
circulate_remaining_permissions permissions.
So even if a user does not have a login/password or a barcode he cans
access to the circulation module of the intranet.
Imagine if the sco patron used is a superlibrarian...
This patch set will change the behavior and adds a new permission to
access to the sco module (circulate => self_checkout).
This permission should be the only one defined for this patron.
IMPORTANT NOTE: Hopefully, this only works if both interfaces use the
same domains (but different ports).
Test plan:
0/ Does not apply this patch set
1/ Create a patron with the circulate => circulate_remaining_permissions
and some others. Note his userid/pwd (later 'sco/sco').
Turn on WebBasedSelfCheck and AutoSelfCheckAllowed
Fill the AutoSelfCheckID and AutoSelfCheckPass wich 'sco' and 'sco'
2/ Log you out from the OPAC and the intranet
3/ Go on the sco page
4/ Note that your are automatically logged in
5/ Go on the circulation module on the intranet side
6/ Oops
7/ Apply this patch
8/ Execute the updatedatabase
9/ Note that the sco user only has the new permission circulate =>
self_checkout, others have been removed
10/ Try to reproduce the issue, it should not access anything on the
intranet side
11/ Confirm that there is no regression in the sco module
Signed-off-by: Chris Cormack <chrisc@catalyst.net.nz>
Works well no regressions, changes the permissions appropriately.
Signed-off-by: Katrin Fischer <katrin.fischer.83@web.de>
Signed-off-by: Tomas Cohen Arazi <tomascohen@theke.io>
Jonathan Druart
0893a7c3db