[Koha-bugs] [Bug 8868] ILS-DI: CancelHold needs to take a reserve_id
bugzilla-daemon at bugs.koha-community.org
bugzilla-daemon at bugs.koha-community.org
Fri Mar 14 11:11:00 CET 2014
http://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=8868
--- Comment #24 from Julian Maurice <julian.maurice at biblibre.com> ---
> Also a more general question: Would there be a need for some kind of check if
> cancelling the hold via ILS-DI is allowed? Could someone misuse this to
> cancel reserves of someone else?
This can certainly happen as Koha only uses IP address to trust the remote
user, and IP address cannot guarantee user's identity
(http://en.wikipedia.org/wiki/IP_address_spoofing).
But ILS-DI protocol doesn't provide any authentication mechanisms, so... what
can we do?
Note: RenewLoan, HoldTitle and HoldItem also allows to modify database without
authentication.
--
You are receiving this mail because:
You are watching all bug changes.
More information about the Koha-bugs
mailing list