Voyager operator without permissions can view patron data from discharge screen
- Article Type: General
- Product: Voyager
- Product Version: 7.2.1
Description:
Bug Report Form for Issue 16384-12434 / VYG-4489
Module(s): Circulation/SysAdmin
Server platform(s) affected: Solaris/all
PC OS (if applicable): n/a
Browser & version (if applicable): n/a
Release(s) reported in: 7.2.1; replicated in: 7.2.3
Expected results:
If an operator is in a Circ Security Profile that has neither Add/Update Patron Records or View Only Patron Records checked, that operator should not be able to access patron records.
Actual results:
If an operator w/o Add/Update or View Only Patron Records discharges an item and on the discharge screen right-clicks and selects Go To Borrowing Patron, that patron’s full record displays (including address info as well as SSN/IID info).
Workflow implications: Operators who shouldn’t have access to patron data do.
Replication steps:
1) In SA>Security>Circ Security Profiles, create a new profile and make sure that both Add/Update Patron Records and View Only Patron Records are unchecked.
2) Create a new operator and move that operator into the security profile you created in step 1.
3) Log into Circ as your new operator – you’ll note that, correctly, you have no access to the Patron icon
4) Go to the Discharge screen and type in the barcode of an item currently charged to a patron
5) In the Discharge screen, right-click and select the Go To Borrowing Patron option – immediately the Patron window appears, with all details viewable to this operator.
Workaround: You can go to the Patron Groups tab of this operator’s security profile and use the Restrict Record View option.
- Article last edited: 09-Dec-2019