On Thu, Jul 31, 2014 at 07:25:49AM -0400, Kyle Hall wrote: > > As far as I can tell, the SIP2 spec does not intend a bad user password to > limit any data, it up to the client to determine what and what not to > display given a bad patron password. > Many of the early sip devices considered the fact a user had wanded a barcode, security enough. I recall machines which sent blank passwords meaning 'I dont care about passwords and if they're valid'. The implication of the standard is that the client end will do the right thing if I flag up the password was invalid. NB that responses like patron status return both whether the patron is valid and whether the password is valid which suggests that the two are independent and it may want info back irrespective of password validity. Its also not impossible that a client application may want patron data and issue an info request without that patron being present (whether such an app should be tolerated is another thing). So I think we should certainly tailor message resonses sensibly but policy is the responsibility of the client device. (maybe we should look a bit closer at them) C.
-- Colin Campbell Chief Software Engineer, PTFS Europe Limited Content Management and Library Solutions +44 (0) 800 756 6803 (phone) +44 (0) 7759 633626 (mobile) colin.campb...@ptfs-europe.com skype: colin_campbell2 http://www.ptfs-europe.com _______________________________________________ Koha mailing list http://koha-community.org Koha@lists.katipo.co.nz http://lists.katipo.co.nz/mailman/listinfo/koha