https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=22063
Bug ID: 22063 Summary: Prevent library staff from changing other people's password. Change sponsored?: --- Product: Koha Version: unspecified Hardware: All OS: All Status: NEW Severity: enhancement Priority: P5 - low Component: Authentication Assignee: koha-bugs@lists.koha-community.org Reporter: r.delahu...@arts.ac.uk QA Contact: testo...@bugs.koha-community.org CC: dpav...@rot13.org Target Milestone: --- We use LDAP authentication where the userid is passed to the university's authentication service and if a match is found the password must be the one the staff member themselves has chosen for their university network account. Only when the university's authentication service fails, or the user has no university account (such as our 3rd party support staff) does the local password (borrowers.password) get checked and used. The 'Add, modify and view user Information' permission is astoundingly broad, allowing **any** user with catalogue access to change anyone's password. It is possible for someone to change the password of the superlibrarian, to claim access to all areas of Koha. If the superlibrarian were not logged on, they would effectively be locked out and lose control of the system. -- You are receiving this mail because: You are watching all bug changes. You are the assignee for the bug. _______________________________________________ Koha-bugs mailing list Koha-bugs@lists.koha-community.org http://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs website : http://www.koha-community.org/ git : http://git.koha-community.org/ bugs : http://bugs.koha-community.org/