https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=34306
--- Comment #6 from David Cook <[email protected]> --- (In reply to Christopher Brannon from comment #5) > David, you stated "There isn't anonymous access to > /cgi-bin/koha/labels/spinelabel-home.pl. That page does require permission > to access it." > > I cannot confirm your statement. I've tested this against a patron that > does not have the label_creator permission, and she was able to access both > tools. Another library also confirmed this. Please tell me where we are > missing this. Is there another permission that might be allowing access to > these tools somehow? "Anonymous access" means unauthenticated access. That is, anyone on the Internet trying to access it. The original title made it sound like anyone could access the tool just by visiting the URL, which isn't the case. Currently, "/cgi-bin/koha/labels/spinelabel-home.pl" requires the "catalogue" permission. Counterintuitively, the "catalogue" permission is the permission that generally provides access to the staff interface. That's why any of your authenticated staff users with staff interface permission will be able to view and use that tool. It doesn't have serious security implications, but it is suboptimal. (In reply to Christopher Brannon from comment #5) > I would rather the permission label_creator > permission remained the permission to this tool. It's not currently the permission for this tool. That's why I talked about changing it to that permission. -- You are receiving this mail because: You are watching all bug changes. You are the assignee for the bug. _______________________________________________ Koha-bugs mailing list [email protected] https://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs website : http://www.koha-community.org/ git : http://git.koha-community.org/ bugs : http://bugs.koha-community.org/
