| commit | 3cc0e7cae3ab063a0e77a12123177bb26348f20a | |
| author | Martin Renvoize <martin.renvoize@ptfs-europe.com> | |
| Tue, 19 Nov 2019 14:51:50 +0000 (19 14:51 +0000) | ||
| committer | Victor Grousset/tuxayo <victor@tuxayo.net> | |
| Tue, 25 Aug 2020 03:49:41 +0000 (25 05:49 +0200) | ||
| tree | 9effb9ce0c5dce32dd7256a11b9760af2098a2af | treesnapshot (tar.gz zip) |
| parent | 848512d46627f9a3b6748c8a9af0f50ee6869012 | commitdiff |
Bug 23634: Prevent non-superlibrarians from editing superlibarian emails
This patchset prevents a non-superlibrarian user from editing a
superlibrarians email address via memberentry. This is to prevent a
privilege escalation vulnerability whereby a user could update a
superlibrarians contact details to match their own and then request a
password reset via the OPAC.
Signed-off-by: Martin Renvoize <martin.renvoize@ptfs-europe.com>
Signed-off-by: Tomas Cohen Arazi <tomascohen@theke.io>
Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl>
Signed-off-by: Aleisha Amohia <aleishaamohia@hotmail.com>
(cherry picked from commit e707fdf7b6ca155ec9abd47e2e8aef1549f01f10)
Signed-off-by: Victor Grousset/tuxayo <victor@tuxayo.net>
This patchset prevents a non-superlibrarian user from editing a
superlibrarians email address via memberentry. This is to prevent a
privilege escalation vulnerability whereby a user could update a
superlibrarians contact details to match their own and then request a
password reset via the OPAC.
Signed-off-by: Martin Renvoize <martin.renvoize@ptfs-europe.com>
Signed-off-by: Tomas Cohen Arazi <tomascohen@theke.io>
Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl>
Signed-off-by: Aleisha Amohia <aleishaamohia@hotmail.com>
(cherry picked from commit e707fdf7b6ca155ec9abd47e2e8aef1549f01f10)
Signed-off-by: Victor Grousset/tuxayo <victor@tuxayo.net>
| koha-tmpl/intranet-tmpl/prog/en/modules/members/memberentrygen.tt | diffblobblamehistory | |
| members/memberentry.pl | diffblobblamehistory |