From 49f36e71097d8d4f287e7bd45b4e5d8e5528b745 Mon Sep 17 00:00:00 2001 From: Kyle M Hall Date: Fri, 26 Feb 2021 13:16:58 -0500 Subject: [PATCH] Bug 27812: Remove the ability to transmit a patron's plain text password over email We should not give libraries the ability to compromise patron accounts, it is considered a huge security issue and nobody in network security would never recommend allowing passwords to be transmitted in clear text over email. It should simply not be possible to send a patron's password in plain text via email. As such, we should remove this ability from Koha. Test Plan: 1) Apply this patch 2) Create a patron to generate the ACCTDETAILS email 3) Note you can no longer transmit the patron's password in the email Signed-off-by: Amit Gupta Signed-off-by: Martin Renvoize Signed-off-by: Fridolin Somers Signed-off-by: Kyle M Hall --- installer/data/mysql/en/mandatory/sample_notices.yml | 3 ++- members/memberentry.pl | 1 + 2 files changed, 3 insertions(+), 1 deletion(-) diff --git a/installer/data/mysql/en/mandatory/sample_notices.yml b/installer/data/mysql/en/mandatory/sample_notices.yml index ffcb4cb5d4..96995aba54 100644 --- a/installer/data/mysql/en/mandatory/sample_notices.yml +++ b/installer/data/mysql/en/mandatory/sample_notices.yml @@ -962,10 +962,11 @@ tables: - "Your new Koha account details are:" - "" - "User: <>" - - "Password: <>" - "" - "If you have any problems or questions regarding your account, please contact your Koha Administrator." - "" + - "If you do not have your account password, please contact your Koha Administrator." + - "" - "Thank you," - "Koha Administrator" - "kohaadmin@yoursite.org" diff --git a/members/memberentry.pl b/members/memberentry.pl index a21e631823..efb0d4283b 100755 --- a/members/memberentry.pl +++ b/members/memberentry.pl @@ -456,6 +456,7 @@ if ((!$nok) and $nodouble and ($op eq 'insert' or $op eq 'save')){ add_guarantors( $patron, $input ); $borrowernumber = $patron->borrowernumber; $newdata{'borrowernumber'} = $borrowernumber; + delete $newdata{password}; } # If 'AutoEmailOpacUser' syspref is on, email user their account details from the 'notice' that matches the user's branchcode. -- 2.39.5