Able to login to staff client with old card number
Bug #1844121 reported by
Dawn Dale
This bug affects 5 people
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
Evergreen |
Fix Released
|
High
|
Unassigned | ||
3.6 |
Fix Released
|
High
|
Unassigned |
Bug Description
We recently discovered that staff are able to use an old card number to log into the staff client. We see this as a security problem.
Example, Mrs. Jones is a library manager and works at library A. Mrs. Jones misplaces her library card and needs to get a new one. Her card is replaced. Out of habit she logs into EG with her old card number and pin and is successful. Realizing her mistake she logs out and uses her new card number. However, if her card is found by someone, they could log into EG using her card. I realize this is not very likely but it is still a security problem.
Thanks,
tags: | added: circulation |
information type: | Public → Private Security |
information type: | Private Security → Public Security |
Changed in evergreen: | |
importance: | Undecided → High |
Changed in evergreen: | |
assignee: | nobody → Mike Rylander (mrylander) |
Changed in evergreen: | |
status: | Fix Committed → Fix Released |
To post a comment you must log in.
Confirmed in Evergreen 3.3.2
I made sure that the old card haven't been checked as active, but even so, I was able to use the card number to log in.