Patron self-registration form ignores required fields if they are deleted

Bug #1862202 reported by Llewellyn Marshall on 2020-02-06
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
Evergreen
Undecided
Unassigned

Bug Description

Evergreen Version: 3.3.4
openSRF version: 3.2.0
PGsql version: 9.5
Linux Distro: Ubuntu 16.04

A client alerted us that several patrons have registered without filling out the required "date of birth" field. After testing, we found the following exploit within the patron registration form:

When registering for a new card, the patron can delete inputs from the form within their browser to bypass required fields.

steps to reproduce:
1. open self registration form with "request a library card" link.
2. Enter desired information.
3. Open the form in the browser's inspector and remove any number of "required" rows with the red asterisk.
4. Submit the form successfully. Any required fields that were deleted are ignored and the red error messages expected do not appear.

When looking in the "Pending patron" views, the required fields are empty and must be entered manually by the client to complete registration.

Inside of src/perlmods/lib/OpenILS/WWW/EGCatLoader/Register.pm the inspect_register_value subroutine checks the submitted data against the org unit settings to ensure that fields aren't blank. However, If the patron has deleted the form input (or the input doesn't get sent for some reason), there won't be any data to check against the settings.

To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers