[Koha-devel] Requests and their cancellation by owner
Stephen Hedges
shedges at skemotah.com
Mon Feb 23 12:02:45 CET 2004
paul POULAIN said:
> Benedykt P. Barszcz wrote:
>
>>HI group,
>>I noticed that Requests made by user cannot be cancelled. There is no
such button to do so. Kohaadmin can do that, though. Isn't it strange? A
user should be able to cancel his/her own requests if he/she wished so
(before reservation expires). This would give other users an opportunity
to reserve an item once available.
> You're right. Enter a "normal" bug in bugs.koha.org
>
Isn't there a security issue here? I've forgotten the details, but it
seems like you have to give the borrower the right to modify the database,
causing a security hole. Borrowers also cannot renew their items, for the
same reason, if I remember correctly.
I think that's why self-checkout systems use SIP2, to limit the borrower's
access to their _own_ data and not the database as a whole.
--
Stephen Hedges
Skemotah Solutions, USA
www.skemotah.com -- shedges at skemotah.com
More information about the Koha-devel
mailing list