https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=39142
--- Comment #25 from Martin Renvoize (ashimema) <[email protected]> --- Created attachment 189757 --> https://bugs.koha-community.org/bugzilla3/attachment.cgi?id=189757&action=edit Bug 39142: (QA follow-up) Add permission checking for syspref overrides This follow-up adds proper security controls for the DISABLE_SYSPREF_* URL parameter functionality introduced in Bug 14004. Previously, any user could bypass system preferences by using URL parameters without authorization. Changes: - Restricts DISABLE_SYSPREF_* parameter processing to users with debug permission - Uses existing haspermission() method for consistent authorization checking - Maintains superlibrarian access as expected - Closes potential security loophole where unauthorized users could disable system preferences like IntranetUserJS and IntranetUserCSS The debug UI buttons will only appear for authorized users, and now the underlying syspref override functionality requires the same permission, ensuring both UI and functional security are aligned. Signed-off-by: Martin Renvoize <[email protected]> -- You are receiving this mail because: You are watching all bug changes. _______________________________________________ Koha-bugs mailing list [email protected] https://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs website : http://www.koha-community.org/ git : http://git.koha-community.org/ bugs : http://bugs.koha-community.org/
