[Koha-bugs] [Bug 22925] AuthenticatePatron should fail if patron has lost card

bugzilla-daemon at bugs.koha-community.org bugzilla-daemon at bugs.koha-community.org
Fri May 24 19:34:20 CEST 2019 

https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=22925

Liz Rea <wizzyrea at gmail.com> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
             Status|Needs Signoff               |In Discussion
                 CC|                            |wizzyrea at gmail.com

--- Comment #2 from Liz Rea <wizzyrea at gmail.com> ---
Hi Arthur,

Can you explain a bit more about the use case here? Since this is ILS-DI only,
and not across all of the Koha OPAC, I assume your use case has to do with
connectivity to a service like Overdrive or Bolinda (or your local eBook
vendor). Is that right? 

The reason I ask is because not every library uses the cardnumber as the login
username. A person who loses their card may still have a legitimate reason to
log into Koha (or an attached 3rd party service) - why should they be
additionally punished for losing their card by not being able to access library
resources? People lose things all the time and it's really annoying to replace
all those lost things. Let's not make it harder for people.

The information on the majority of library cards is basically considered public
- things like your name, and your card number. They aren't secret. The password
though, is. And since (I sure hope...) normally the password isn't on the
library card, even if someone bad has the card, they still don't have the
password and so can't get in anyway. 

Taking it a step further, even if the bad person went to the OPAC to change the
password (presuming the library has that enabled), they would still need the
username (that could be the card number, yes, but it often isn't) and/or the
e-mail address associated with the account, and access to that email account,
to change the password.  Yes, they could then get in to the 3rd party service,
but they have worked really hard to get there and compromised much more than
just Koha, and likely broken a few laws in the mean time.

If we are going to implement this feature, I feel like it must be optional, and
definitely should be off by default. 

Please, if anybody thinks any of this is wrong, I'm happy to consider that
point of view - I am sure I haven't thought through to every possibility and
there could be a very good use case for this feature.

Cheers,
Liz

-- 
You are receiving this mail because:
You are watching all bug changes.

More information about the Koha-bugs mailing list