From 255d4023cda92ffcb2a9131434566d94c550bf0f Mon Sep 17 00:00:00 2001 From: Jonathan Druart Date: Wed, 2 Sep 2015 16:09:35 +0100 Subject: [PATCH] Bug 14298: Add the new 'self_checkout' permissions There is a security issue in the self checkout module. The user used to check items out must have the circulate => circulate_remaining_permissions permissions. So even if a user does not have a login/password or a barcode he cans access to the circulation module of the intranet. Imagine if the sco patron used is a superlibrarian... This patch set will change the behavior and adds a new permission to access to the sco module (circulate => self_checkout). This permission should be the only one defined for this patron. IMPORTANT NOTE: Hopefully, this only works if both interfaces use the same domains (but different ports). Test plan: 0/ Does not apply this patch set 1/ Create a patron with the circulate => circulate_remaining_permissions and some others. Note his userid/pwd (later 'sco/sco'). Turn on WebBasedSelfCheck and AutoSelfCheckAllowed Fill the AutoSelfCheckID and AutoSelfCheckPass wich 'sco' and 'sco' 2/ Log you out from the OPAC and the intranet 3/ Go on the sco page 4/ Note that your are automatically logged in 5/ Go on the circulation module on the intranet side 6/ Oops 7/ Apply this patch 8/ Execute the updatedatabase 9/ Note that the sco user only has the new permission circulate => self_checkout, others have been removed 10/ Try to reproduce the issue, it should not access anything on the intranet side 11/ Confirm that there is no regression in the sco module Signed-off-by: Chris Cormack Works well no regressions, changes the permissions appropriately. Signed-off-by: Katrin Fischer (cherry picked from commit 08c7606c36f4383b402480ddab8a01dfa9acdccf) Signed-off-by: Liz Rea --- ...d_permissions_circulate_self_checkout.perl | 27 +++++++++++++++++++ .../mysql/en/mandatory/userpermissions.sql | 1 + 2 files changed, 28 insertions(+) create mode 100644 installer/data/mysql/atomicupdate/bug_14298_add_permissions_circulate_self_checkout.perl diff --git a/installer/data/mysql/atomicupdate/bug_14298_add_permissions_circulate_self_checkout.perl b/installer/data/mysql/atomicupdate/bug_14298_add_permissions_circulate_self_checkout.perl new file mode 100644 index 0000000000..9ec23a051b --- /dev/null +++ b/installer/data/mysql/atomicupdate/bug_14298_add_permissions_circulate_self_checkout.perl @@ -0,0 +1,27 @@ +use Modern::Perl; + +use C4::Context; +my $dbh = C4::Context->dbh; + +$dbh->do(q| + INSERT INTO permissions (module_bit, code, description) + VALUES (1, 'self_checkout', 'Perform self checkout at the OPAC. It should be used for the patron matching the AutoSelfCheckID') +|); + +my $AutoSelfCheckID = C4::Context->preference('AutoSelfCheckID'); + +$dbh->do(q| + UPDATE borrowers + SET flags=0 + WHERE userid=? +|, undef, $AutoSelfCheckID); + +$dbh->do(q| + DELETE FROM user_permissions + WHERE borrowernumber=(SELECT borrowernumber FROM borrowers WHERE userid=?) +|, undef, $AutoSelfCheckID); + +$dbh->do(q| + INSERT INTO user_permissions(borrowernumber, module_bit, code) + SELECT borrowernumber, 1, 'self_checkout' FROM borrowers WHERE userid=? +|, undef, $AutoSelfCheckID); diff --git a/installer/data/mysql/en/mandatory/userpermissions.sql b/installer/data/mysql/en/mandatory/userpermissions.sql index 65c4bb81a7..f40dea7542 100644 --- a/installer/data/mysql/en/mandatory/userpermissions.sql +++ b/installer/data/mysql/en/mandatory/userpermissions.sql @@ -4,6 +4,7 @@ INSERT INTO permissions (module_bit, code, description) VALUES ( 1, 'overdues_report', 'Execute overdue items report'), ( 1, 'force_checkout', 'Force checkout if a limitation exists'), ( 1, 'manage_restrictions', 'Manage restrictions for accounts'), + ( 1, 'self_checkout', 'Perform self checkout at the OPAC. It should be used for the patron matching the AutoSelfCheckID'), ( 3, 'parameters_remaining_permissions', 'Remaining system parameters permissions'), ( 3, 'manage_circ_rules', 'manage circulation rules'), ( 6, 'place_holds', 'Place holds for patrons'), -- 2.39.5