https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=7550
--- Comment #18 from Marc VĂ©ron <[email protected]> --- Could it be that we talk about different things? The initial comment was: ----- The patron image display in the self-checkout takes a GET parameter from the image source, so if someone copied the image location and substituted the barcode string they could browse through all patron images: <img alt="" src="/cgi-bin/koha/sco/sco-patron-image.pl?cardnumber=XXXX"> It would offer patrons better privacy to limit that request based on the currently-logged-in user. ----- (Note that meanwhile the param is borrowernumber). So somebody who is logged in to SCO can browse through the images by guessing/changing the borrowernumber: http://192.168.1.31/cgi-bin/koha/sco/sco-patron-image.pl?borrowernumber=1 http://192.168.1.31/cgi-bin/koha/sco/sco-patron-image.pl?borrowernumber=2 With my two patches applied, a hash is added, based on the contents of the image. The contents of the image is stored in the database (as blob) The new link to display the image is something like: http://192.168.1.31/cgi-bin/koha/sco/sco-patron-image.pl?borrowernumber=1&ck=a0923303852da8c10a383fb81f1a73d3 If you copy this addres and change borrowernumber e.g. to 2, the image won't display. To create a hash that fits to borrowernumber 2, you would need the image, otherwise it is impossible. So again: Are we talking about different things? Are you talking about accessing the SCO screen by guessing the card number? -- You are receiving this mail because: You are watching all bug changes. _______________________________________________ Koha-bugs mailing list [email protected] http://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs website : http://www.koha-community.org/ git : http://git.koha-community.org/ bugs : http://bugs.koha-community.org/
