https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=36695
Bug ID: 36695
Summary: anonymous patron is not blocked from checkout via SIP
Change sponsored?: ---
Product: Koha
Version: 23.05
Hardware: All
OS: All
Status: NEW
Severity: enhancement
Priority: P5 - low
Component: SIP2
Assignee: koha-bugs@lists.koha-community.org
Reporter: cbran...@cdalibrary.org
QA Contact: testo...@bugs.koha-community.org
The anonymous patron is not allowed to checkout through the staff module, but
it appears that you can checkout as this user via SIP2, particularly through
3rd party self check systems that do not require the patron to enter a
password.
While it is more likely this could be exploited with a random library card
number, this does create a hole in blocking circ on this account.
1. Make sure AnonymousPatron is pointed to an account.
2. Point your 3rd party self check at Koha, and do not require a password for
patron authentication. (You COULD also test with a username/password scenario,
which also shouldn't be allowed).
3. Verify that if you go to the anonymous patron account in the staff
interface, you cannot checkout items.
4. Sign into the 3rd party self check with the anonymous account, either as a
sign in with cardnumber only, or with the username/password scenario.
5. Proceed to check out items!
Our system is setup for cardnumber only, but I imagine it works just the same
with username/password. But I can confirm that this account is checking out
via SIP2.
--
You are receiving this mail because:
You are the assignee for the bug.
You are watching all bug changes.
_______________________________________________
Koha-bugs mailing list
Koha-bugs@lists.koha-community.org
https://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs
website : http://www.koha-community.org/
git : http://git.koha-community.org/
bugs : http://bugs.koha-community.org/
