https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=34306
Bug ID: 34306
Summary: Able to access tools without permission
Change sponsored?: ---
Product: Koha
Version: master
Hardware: All
OS: All
Status: NEW
Severity: enhancement
Priority: P5 - low
Component: Tools
Assignee: [email protected]
Reporter: [email protected]
QA Contact: [email protected]
In an attempt to work around bug 34288 until it is available to 22.11, I was
checking to see if going straight to /cgi-bin/koha/labels/spinelabel-home.pl
would be a reasonable workaround. Indeed, it does work, but it works for
anyone that can get to the link, not just people that have permission to the
tool. It does not seem that this tool is managed by the label_creator
permission.
Then I thought, maybe this permission only manages
/cgi-bin/koha/labels/label-home.pl, so I tested that. But nope. I can bypass
permissions and get to that page. Aren't permissions supposed to prevent you
from getting to the tools at all? Anyone can easily share urls to pages. If
all the permissions are doing is allowing a tool link to show, that is not much
of a permission. I'm a bit concerned about this.
--
You are receiving this mail because:
You are the assignee for the bug.
You are watching all bug changes.
_______________________________________________
Koha-bugs mailing list
[email protected]
https://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs
website : http://www.koha-community.org/
git : http://git.koha-community.org/
bugs : http://bugs.koha-community.org/
