Currently, while booksellers.pl tries to restrict a user's ability to view baskets, that's easily circumvented simply by altering the basketno CGI parameter to, e.g. baket.pl.
I can think of three ways to close this security hole: 1. Check permissions in every script that deals with baskets. This would probably require an addition to C4::Auth. 2. Randomise basket numbers. 3. Add a random key to each basket that must be given as a CGI parameter (in addition to basketno) in order for a script to allow access to that basket. Please note that for my own part, I'm unaffected by this problem. I have only a single branch and allow access to all that branches' baskets anyway. Nevertheless, I would give implementing a fix a try if there is consensus on which way to go. _______________________________________________ Koha-devel mailing list [email protected] http://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-devel website : http://www.koha-community.org/ git : http://git.koha-community.org/ bugs : http://bugs.koha-community.org/
