[Koha] Minimum permissions needed for patron search
Coehoorn, Joel
jcoehoorn at york.edu
Sat Sep 9 02:00:09 NZST 2023
We're a small college using Koha for our library circulation. Our library
uses workstudy students to man the desk and do *basic *circulation tasks.
Anything advanced, like adding or receiving holds, fines, etc, and the
student will get an actual librarian.
These workstudy students are also regular patrons, so the workstudy job is
accomplished with a dedicated login, with the password saved on the
circulation PC so the students don't actually know how to login as a staff
person otherwise. FERPA and related laws require us to treat this as an
extremely low-trust position. Historically, this login has only had the
"View Patron Infos from any Libraries
(view_borrower_infos_from_any_libraries)" permission in the "Add Modify
Patron Information (borrowers)" section. We also use SAML for
authentication.
Recently, this account is no longer able to search for patrons by name. If
a student comes to the desk to checkout a book and forgets their card, our
workstudy account used to be able to search them by name and proceed with
the checkout process. Now, this enters a SAML redirect loop trying to
validate permissions for the login, which is detected and broken with an
error by the identity provider. I can't find where in Koha, if anywhere,
this is being logged to help resolve it. They are otherwise able to
circulate material if they can lookup the patron by barcode.
I discovered the problem goes away if we add the "Add, modify and view
patron information (edit_borrowers)" to the login. Then they are able to
continue circulation as normal. However, we don't want this account to be
able to add or modify borrows, especially as this information all syncs
from our student information system. We don't want manual edits... ever.
How can I fix this? Why do we need to give edit permissions just to do a
search?
*Joel Coehoorn*
Director of Information Technology
*York University*
Office: 402-363-5603 | jcoehoorn at york.edu | york.edu
*Please contact helpdesk at york.edu <helpdesk at york.edu> for technical
assistance.*
The mission of York University is to transform lives through
Christ-centered education and to equip students for lifelong service to
God, family, and society
More information about the Koha
mailing list