http://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=8868 --- Comment #24 from Julian Maurice <julian.maurice@biblibre.com> ---
Also a more general question: Would there be a need for some kind of check if cancelling the hold via ILS-DI is allowed? Could someone misuse this to cancel reserves of someone else?
This can certainly happen as Koha only uses IP address to trust the remote user, and IP address cannot guarantee user's identity (http://en.wikipedia.org/wiki/IP_address_spoofing). But ILS-DI protocol doesn't provide any authentication mechanisms, so... what can we do? Note: RenewLoan, HoldTitle and HoldItem also allows to modify database without authentication. -- You are receiving this mail because: You are watching all bug changes.