https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=23516
Bug ID: 23516
Summary: Incorrect permissions on modrequest.pl could lead to
unauthorized hold changes
Change sponsored?: ---
Product: Koha
Version: master
Hardware: All
OS: All
Status: NEW
Severity: major
Priority: P5 - low
Component: Hold requests
Assignee: [email protected]
Reporter: [email protected]
QA Contact: [email protected]
CC: [email protected]
When you modify a hold's priority or pickup location via the list of holds on a
particular title (/cgi-bin/koha/reserve/request.pl?biblionumber=X), you're
submitting the data to modrequest.pl.
modrequest.pl requires only "catalogue" permission. It can usually only be
accessed via request.pl which requires "reserveforothers => 'place_holds'"
permission.
However, a correctly-constructed link could allow a user without
"modify_holds_priority" permission to modify a hold's priority:
/cgi-bin/koha/reserve/modrequest.pl?reserve_id=RESERVEID&borrowernumber=BORROWERNUMBER&biblionumber=BIBLIONUMBER&rank-request=PRIORITY&pickup=LIBRARY&itemnumber=&suspend_until=
--
You are receiving this mail because:
You are watching all bug changes.
You are the assignee for the bug.
_______________________________________________
Koha-bugs mailing list
[email protected]
https://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs
website : http://www.koha-community.org/
git : http://git.koha-community.org/
bugs : http://bugs.koha-community.org/
