Until that happens… how would libraries use API permissions to restrict access to the public computers by:
PIN/Barcode
BlockInfo field
Note:
We only want to assign the permission via the Patrons Validate role.
We don’t want to give our vendors access to Patrons Read role (that has too much personal information in it).
Should I submit a specific Idea for a new API permission based on the BlockInfo field?
Maybe the solution is to set up an intermediate server which filters out any sensitive field parameters in the GET query string, so that the URI reads something like
We use cloudflare for something like this on the Polaris side. It offers tons of flexibility in terms of pinpointing the exact strings you want to block that you can combine with source IPs, countries, and tons of other signals. I believe that can all be done with their free account. We use their pro plan which is $20 a month.
Implementing cloudflare is a significant task that takes some time to wrap your head around, but once you have it in place you quickly come to appreciate the flexibility and extra security it offers you.