Bug 37766: Fix forms that POST without an op in MARC bibliographic frameworks

We intend not to have forms with method="post" without an op variable
(so we can check that the op starts with "cud-" as part of the CSRF
protection), but because of bug 37728 some were missed.

In MARC bibliographic frameworks, that's the tag search form, which
should be a GET so the URL includes what you searched for and you can
bookmark it or link to the search, and the cancel "No, do not delete"
button in the page to confirm deleting a subfield, which should also be
a GET to take you back to the page where you were, which was
?tagfield=903&frameworkcode=VR when you clicked Delete.

Test plan:
 1. No visible change in behavior (only the URL), so start with the
    patch applied
 2. Administration - MARC bibliographic framework - choose one other
    than Default, since the "&framework=" of Default could be confused
    with a failure to get the code in there - Actions - MARC structure
 3. Type any three digit number higher than 009 (you want something with
    subfields) in the Search for tag input and hit Enter
 4. Verify that your URL has the searchfield and frameworkcode correct
    and that number or next highest number tag is displayed first
 5. Change the In framework select menu to another non-Default framework
    and click search, and verify that the URL change to that
    frameworkcode, and that framework is displayed
 6. Toggle the Display only used tags/subfields checkbox, search for a
    different tag, and verify that the state of the checkbox persists as
    you do more searches
 7. On any other listed tag - Actions - View subfields
 8. For any displayed subfield click Delete
 9. In the confirmation page click No, do not delete
10. Verify that the page you return to has the correct tagfield and
    frameworkcode for the tag you chose

Sponsored-by: Chetco Community Public Library
Signed-off-by: Owen Leonard <oleonard@myacpl.org>

Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
Signed-off-by: Katrin Fischer <katrin.fischer@bsz-bw.de>
This commit is contained in:
Phil Ringnalda 2024-08-29 16:51:27 -07:00 committed by Katrin Fischer
parent 06d8b7e3f0
commit 0677cf5102
Signed by: kfischer
GPG key ID: 0EF6E2C03357A834
2 changed files with 2 additions and 5 deletions

View file

@ -330,10 +330,8 @@
</form>
<form action="[% script_name | html %]" method="post">
[% INCLUDE 'csrf-token.inc' %]
<form action="[% script_name | html %]" method="get">
<input type="hidden" name="tagfield" value="[% mss.tagfield | html %]" />
<input type="hidden" name="tagsubfield" value="[% mss.tagsubfield | html %]" />
<input type="hidden" name="frameworkcode" value="[% mss.frameworkcode | html %]" />
<button type="submit" class="btn btn-default deny"><i class="fa fa-fw fa-times"></i> No, do not delete</button>
</form>

View file

@ -214,8 +214,7 @@
[% IF ( else ) %]
<form name="f" action="[% script_name | html %]" method="post">
[% INCLUDE 'csrf-token.inc' %]
<form name="f" action="[% script_name | html %]" method="get">
<fieldset style="padding:.5em;">
<label for="tag_search"><strong>Search for tag:</strong> </label>
<input type="text" name="searchfield" id="tag_search" size="4" value="[% searchfield | html %]" />