[Koha-bugs] [Bug 37258] New: Locked records can still be modified/deleted by an unauthorized librarian with merge and in advanced editor

Thu, 04 Jul 2024 11:45:34 -0700 

https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=37258

            Bug ID: 37258
           Summary: Locked records can still be modified/deleted by an
                    unauthorized librarian with merge and in advanced
                    editor
 Change sponsored?: ---
           Product: Koha
           Version: unspecified
          Hardware: All
                OS: All
            Status: NEW
          Severity: minor
          Priority: P5 - low
         Component: Cataloging
          Assignee: [email protected]
          Reporter: [email protected]
        QA Contact: [email protected]
                CC: [email protected]
        Depends on: 31791

Locked records can still be modified/deleted by an unauthorized librarian with
merge and in advanced editor.

Although the Edit record action is grayed out from the regular Edit pulldown,
and also an attempt to open directly the basic editor
(.../cgi-bin/koha/cataloguing/addbiblio.pl?biblionumber=<biblionumber>) results
with Error 403 page, an unauthorized user is still able to modify/delete a
locked record in several ways, including:

1. merge operation: if a locked record has been chosen as the destination (ref)
record, fields can be inserted/deleted from it as a result of a merge and so
modifying the locked record;

2. merge operation: if a locked record has NOT been chosen as the destination
(ref) record, the locked record will be deleted;

3. a user cat launch directly the advanced editor (wit URL
.../cgi-bin/koha/cataloguing/editor.pl#catalog/<biblionumber>) and save the
modified version, with no respect for the lock status and edit_locked_records
permission.

Theoretically, such an a user could be restricted from using advanced editor,
but this does not seem as a right way of solving this issue.  And the merge
path would still remain open.


Referenced Bugs:

https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=31791
[Bug 31791] Add the ability to lock records to prevent modification through the
Koha staff interface
-- 
You are receiving this mail because:
You are watching all bug changes.
You are the assignee for the bug.
_______________________________________________
Koha-bugs mailing list
[email protected]
https://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs
website : http://www.koha-community.org/
git : http://git.koha-community.org/
bugs : http://bugs.koha-community.org/

Reply via email to