[Koha] SIP2 AF field sent even if patron password is invalid
Colin Campbell
colin.campbell at ptfs-europe.com
Fri Aug 1 04:21:42 NZST 2014
On Thu, Jul 31, 2014 at 07:25:49AM -0400, Kyle Hall wrote:
>
> As far as I can tell, the SIP2 spec does not intend a bad user password to
> limit any data, it up to the client to determine what and what not to
> display given a bad patron password.
>
Many of the early sip devices considered the fact a user had wanded a
barcode, security enough. I recall machines which sent blank passwords
meaning 'I dont care about passwords and if they're valid'. The
implication of the standard is that the client end will do the right
thing if I flag up the password was invalid.
NB that responses like patron status return both whether the patron is
valid and whether the password is valid which suggests that the two are
independent and it may want info back irrespective of password validity.
Its also not impossible that a client application may want patron data
and issue an info request without that patron being present (whether
such an app should be tolerated is another thing). So I think we should
certainly tailor message resonses sensibly but policy is the
responsibility of the client device. (maybe we should look a bit closer
at them)
C.
--
Colin Campbell
Chief Software Engineer,
PTFS Europe Limited
Content Management and Library Solutions
+44 (0) 800 756 6803 (phone)
+44 (0) 7759 633626 (mobile)
colin.campbell at ptfs-europe.com
skype: colin_campbell2
http://www.ptfs-europe.com
More information about the Koha
mailing list