http://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=7551
Bug #: 7551
Summary: Any logged-in OPAC user can renew items for others
using a properly constructed URL
Classification: Unclassified
Change sponsored?: ---
Product: Koha
Version: master
Platform: All
OS/Version: All
Status: NEW
Severity: blocker
Priority: P1 - high
Component: OPAC
AssignedTo: [email protected]
ReportedBy: [email protected]
QAContact: [email protected]
opac-renew.pl takes whatever borrowernumber you give it, so if you know the
borrowernumber and itemnumber of the patron and item you can renew items for
anyone from the OPAC. In my test all that was required was a valid OPAC login.
To reproduce:
1. Log in to the OPAC as any valid user.
2. Point the browser to the URL of opac-renew.pl:
http://koha.example.com/cgi-bin/koha/opac-renew.pl?borrowernumber=X&item=Y
Where X is a Koha patron and Y is the itemnumber of something checked out to X.
--
Configure bugmail:
http://bugs.koha-community.org/bugzilla3/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are watching all bug changes.
_______________________________________________
Koha-bugs mailing list
[email protected]
http://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs
website : http://www.koha-community.org/
git : http://git.koha-community.org/
bugs : http://bugs.koha-community.org/
