https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=7550
--- Comment #16 from Marc Véron <[email protected]> --- (In reply to Jonathan Druart from comment #15) > (In reply to Marc Véron from comment #14) > > (In reply to Jonathan Druart from comment #12) > > > Created attachment 62400 [details] [review] [review] [review] > > > [ALTERNATIVE-PATCH] Bug 7550: SCO - Restrict access of patron's image > > > > > > With this patch if SelfCheckoutByLogin is set to 'username and > > > password', only the logged in user will be able to see the image linked > > > to his/her logged in account. > > > If set to "barcode" we generate a token but it can be easily generated. > > > You should add a warning in the about page if > > > SelfCheckoutByLogin="barcode" and > > > ShowPatronImageInWebBasedSelfCheck="Show". > > > > Hmm, my patch worked with a hash generated with the image file (as > > recommended in comment #7), and it did not leave a security hole with > > SelfCheckoutByLogin="barcode" > > Yes it does, on the same way as my patch. If you know the cardnumber (easy > to guess) of someone you can access his^Ctheir image. $patron_image->imagefile is a blob, no? - Really easy to guess. -- You are receiving this mail because: You are watching all bug changes. _______________________________________________ Koha-bugs mailing list [email protected] http://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs website : http://www.koha-community.org/ git : http://git.koha-community.org/ bugs : http://bugs.koha-community.org/
