Galen,

And this, ultimately, is what makes me nervous about this proposal -- it's one thing for an academic library to inadvertently reveal confidential bibliographic records.  That may cause annoyance, it may anger donors of materials in an archival collection, it may at a stretch cost somebody a job -- but the consequences do not reach to the level of affecting somebody's safety or freedom of movement.

Whether or not the patch passes QA and my review on the technical merits and gets pushed for 3.14 or any future release, I /strongly/ encourage you to consider that air-gap security [1] may better protect the users in question than any possible implementation in Koha, which simply is not design as a high-security application.

I would like to second this. Unless you are prepared to make That Phone Call, if you truly believe that inadvertently exposing bibliographic records to the wrong person could have serious consequences, MAKE SURE IT IS IMPOSSIBLE. If there's no possibility of error, there is no danger of the error happening at the worst possible moment. Books are precious, but people are infinitely more so.

Also, I would not put much reliance on the fact that there is not currently any violence around the libraries in question. That sort of thing changes quickly. If you really need an example, I can share one.

Obviously one of the strengths of open source software is you can do whatever you want with it, even putting the code in question into production if it fails the QA process, but please, Please, PLEASE consider very seriously whether this would best serve your users.

Regards,
Jared

--
Jared Camins-Esakov
Bibliographer, C & P Bibliography Services, LLC
(phone) +1 (917) 727-3445
(e-mail) jcamins@cpbibliography.com
(web) http://www.cpbibliography.com/