Jonathan Druart
0893a7c3db
There is a security issue in the self checkout module. The user used to check items out must have the circulate => circulate_remaining_permissions permissions. So even if a user does not have a login/password or a barcode he cans access to the circulation module of the intranet. Imagine if the sco patron used is a superlibrarian... This patch set will change the behavior and adds a new permission to access to the sco module (circulate => self_checkout). This permission should be the only one defined for this patron. IMPORTANT NOTE: Hopefully, this only works if both interfaces use the same domains (but different ports). Test plan: 0/ Does not apply this patch set 1/ Create a patron with the circulate => circulate_remaining_permissions and some others. Note his userid/pwd (later 'sco/sco'). Turn on WebBasedSelfCheck and AutoSelfCheckAllowed Fill the AutoSelfCheckID and AutoSelfCheckPass wich 'sco' and 'sco' 2/ Log you out from the OPAC and the intranet 3/ Go on the sco page 4/ Note that your are automatically logged in 5/ Go on the circulation module on the intranet side 6/ Oops 7/ Apply this patch 8/ Execute the updatedatabase 9/ Note that the sco user only has the new permission circulate => self_checkout, others have been removed 10/ Try to reproduce the issue, it should not access anything on the intranet side 11/ Confirm that there is no regression in the sco module Signed-off-by: Chris Cormack <chrisc@catalyst.net.nz> Works well no regressions, changes the permissions appropriately. Signed-off-by: Katrin Fischer <katrin.fischer.83@web.de> Signed-off-by: Tomas Cohen Arazi <tomascohen@theke.io> |
||
|---|---|---|
| .. | ||
| mandatory | ||
| marcflavour | ||
| optional | ||