https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=41971
Bug ID: 41971
Summary: Library-specific Pages for OPAC openly accessible
Initiative type: ---
Sponsorship ---
status:
Product: Koha
Version: 24.11
Hardware: All
OS: All
Status: NEW
Severity: normal
Priority: P5 - low
Component: Tools
Assignee: [email protected]
Reporter: [email protected]
QA Contact: [email protected]
After an upgrade of test and production instances from Koha 22.11 to Koha
24.11, we discovered that Pages (Tools > Additional tools) with
library-specific (branch-specific) settings were openly accessible. That is,
not only could they be viewed by patrons of other libraries, they could be
viewed publicly (without authentication).
To reproduce:
1. Create a new page.
- Display location = OPAC
- Library = specific, but different from the current user (for certainty)
- Publication date = Yesterday or Today
- Title and Content = minimally necessary content
2. Save the new page.
3. Right-click the OPAC link and copy the link address.
4. Open a Guest profile window, which has no association with any existing
session.
5. Paste the link and go to the address.
6. The library-specific page will be loaded without prompting for
authentication.
(If using a sandbox, ensure that OPACBaseURL is set correctly.)
--
You are receiving this mail because:
You are the assignee for the bug.
You are watching all bug changes.
_______________________________________________
Koha-bugs mailing list
[email protected]
https://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs
website : http://www.koha-community.org/
git : http://git.koha-community.org/
bugs : http://bugs.koha-community.org/
