https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=23108
Bug ID: 23108
Summary: staffaccess permission can be easily circumvented
Change sponsored?: ---
Product: Koha
Version: 18.11
Hardware: All
OS: All
Status: NEW
Severity: normal
Priority: P5 - low
Component: Patrons
Assignee: [email protected]
Reporter: [email protected]
QA Contact: [email protected]
CC: [email protected], [email protected]
Target Milestone: ---
A user without the staffaccess permission cannot change the permissions or
password for another user belonging to a patron category that is not type
Staff. This works as intended.
BUT: A user without the staffaccess permission can simply change a Staff user
to a new non-staff patron category and then make changes to permissions and/or
password.
To test:
- create patron category STAFF with type Staff
- create patron A and patron B in category STAFF
- create patron category ADULT with type Adult
- give patron A catalogue and borrowers permissions (but NOT staffaccess)
- log in as patron A
- verify that you cannot change permissions for patron B
- verify that you cannot change password for patron B
- change patron B to category ADULT
- change patron B's permission
- change patron B's password
--
You are receiving this mail because:
You are watching all bug changes.
You are the assignee for the bug.
_______________________________________________
Koha-bugs mailing list
[email protected]
http://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs
website : http://www.koha-community.org/
git : http://git.koha-community.org/
bugs : http://bugs.koha-community.org/
