[Koha-bugs] [Bug 7550] New: Self checkout should limit display of patron image to logged-in patron

bugzilla-daemon Thu, 16 Feb 2012 11:58:48 -0800

http://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=7550


             Bug #: 7550
           Summary: Self checkout should limit display of patron image to
                    logged-in patron
    Classification: Unclassified
 Change sponsored?: ---
           Product: Koha
           Version: master
          Platform: All
               URL: /cgi-bin/koha/sco/sco-patron-image.pl?cardnumber=XXXX
        OS/Version: All
            Status: NEW
          Severity: normal
          Priority: P5 - low
         Component: Self checkout
        AssignedTo: [email protected]
        ReportedBy: [email protected]
         QAContact: [email protected]


The patron image display in the self-checkout takes a GET parameter from the
image source, so if someone copied the image location and substituted the
barcode string they could browse through all patron images:

<img alt="" src="/cgi-bin/koha/sco/sco-patron-image.pl?cardnumber=XXXX">

It would offer patrons better privacy to limit that request based on the
currently-logged-in user.

-- 
Configure bugmail: 
http://bugs.koha-community.org/bugzilla3/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are watching all bug changes.
_______________________________________________
Koha-bugs mailing list
[email protected]
http://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs
website : http://www.koha-community.org/
git : http://git.koha-community.org/
bugs : http://bugs.koha-community.org/

[Koha-bugs] [Bug 7550] New: Self checkout should limit display of patron image to logged-in patron

Reply via email to