[Bug 7550] Self checkout: limit display of patron image to logged-in patron

classic Classic list List threaded Threaded
1 message Options
Reply | Threaded
Open this post in threaded view

[Bug 7550] Self checkout: limit display of patron image to logged-in patron


--- Comment #25 from Jonathan Druart <[hidden email]> ---
(In reply to Marcel de Rooy from comment #24)
> (In reply to Marc VĂ©ron from comment #14)
> > Hmm, my patch worked with a hash generated with the image file (as
> > recommended in comment #7), and it did not leave a security hole with
> > SelfCheckoutByLogin="barcode"
> Looks to me that this option is a security hole on itself?
> If I guess barcodes, I can still see all images? If I come on sco-main, I
> will automatically get the image from the img tag as well? Or do I
> misunderstand the discussion here?

The commit message says everything:
With this patch if SelfCheckoutByLogin is set to 'username and
password', only the logged in user will be able to see the image linked
to his/her logged in account.
If set to "barcode" we generate a token but it can be easily generated.
You should add a warning in the about page if
SelfCheckoutByLogin="barcode" and ShowPatronImageInWebBasedSelfCheck="Show".

You are receiving this mail because:
You are watching all bug changes.
Koha-bugs mailing list
[hidden email]
website : http://www.koha-community.org/
git : http://git.koha-community.org/
bugs : http://bugs.koha-community.org/