https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=22063
Bug ID: 22063
Summary: Prevent library staff from changing other people's
password.
Change sponsored?: ---
Product: Koha
Version: unspecified
Hardware: All
OS: All
Status: NEW
Severity: enhancement
Priority: P5 - low
Component: Authentication
Assignee: koha-bugs@lists.koha-community.org
Reporter: r.delahu...@arts.ac.uk
QA Contact: testo...@bugs.koha-community.org
CC: dpav...@rot13.org
Target Milestone: ---
We use LDAP authentication where the userid is passed to the university's
authentication service and if a match is found the password must be the one the
staff member themselves has chosen for their university network account. Only
when the university's authentication service fails, or the user has no
university account (such as our 3rd party support staff) does the local
password (borrowers.password) get checked and used. The 'Add, modify and view
user Information' permission is astoundingly broad, allowing **any** user with
catalogue access to change anyone's password. It is possible for someone to
change the password of the superlibrarian, to claim access to all areas of
Koha. If the superlibrarian were not logged on, they would effectively be
locked out and lose control of the system.
--
You are receiving this mail because:
You are watching all bug changes.
You are the assignee for the bug.
_______________________________________________
Koha-bugs mailing list
Koha-bugs@lists.koha-community.org
http://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs
website : http://www.koha-community.org/
git : http://git.koha-community.org/
bugs : http://bugs.koha-community.org/
