Evergreen

Link between user and aged circ retained through credit card payment

Bug #1417148 reported by Bill Erickson
256
This bug affects 1 person
Affects Status Importance Assigned to Milestone
Evergreen
Confirmed
Undecided
Unassigned
3.3
Won't Fix
Undecided
Unassigned
3.4
Won't Fix
Undecided
Unassigned

Bug Description

All Evergreen versions, circa 2.7.

When a user makes a credit card payment in the TPAC, the user making the payment is tracked via the money.credit_card_payment.accepting_usr field. In the case of TPAC payments, this will always be the logged in user. This information is retained when a circulation is aged, which makes it trivial to link an aged circulation transaction to the patron that circulated the item when TPAC-generated credit card payments are present.

Additionally, we store the first/last name and other patron information on credit card payments, which could be used to link patrons to transactions.

Tags: circ-billing
Revision history for this message
Bill Erickson (berick) wrote :

Note that bug #1474051 addresses part of this, specifically the storing of patron name and other credit card information. However, the money.credit_card_payment.accepting_usr link will still exist.

Revision history for this message
Kathy Lussier (klussier) wrote :

This issue just came up in a local discussion on aging circs. Although it is indeed a patron privacy issue, I'm thinking it's one that could be made a public security bug.

As a resolution, could we update the accepting_usr field to null when the aged circulation script is run?

Changed in evergreen:
status: New → Confirmed
Revision history for this message
Kathy Lussier (klussier) wrote :

Changing this to a public security bug as discussed in the Evergreen security list.

information type: Private Security → Public Security
Revision history for this message
Jason Stephenson (jstephenson) wrote :

I will take the approach of setting the accepting user to 1 for a credit card payment if the cash drawer is null at the time the circulation is aged.

Changed in evergreen:
assignee: nobody → Jason Stephenson (jstephenson)
Revision history for this message
Jason Stephenson (jstephenson) wrote :

It appears that the fix for 3.3 will be different from that for 3.4 and 3.5/master. The latter fix could be rolled into any potential fix for bug 1858448.

Since this is a security bug, should this also be patched in 3.2 and 3.1?

Jason Stephenson (jstephenson)
Changed in evergreen:
assignee: Jason Stephenson (jstephenson) → nobody
Tiffany Little (tslittle)
tags: added: circ-billing
To post a comment you must log in.
This report contains Public Security information  
Everyone can see this security related information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.