Bug 37794: Fix form that POSTs without an op in Holds to pull

We intend not to have forms with method="post" without an op variable (so we can check that the op starts with "cud-" as part of the CSRF protection), but because of bug 37728 some were missed. In Holds to pull that's the form which lets you change from the default starting and ending date. Switching that to a GET at least lets you refresh the page without getting a browser warning about resending a POST and maybe having your credit card double-charged. Test plan: 1. Without the patch, Circulation - Holds to pull - change the start date to something earlier and click Submit 2. Refresh the page, get a warning about resubmitting data 3. Apply patch, Circulation - Holds to pull - change the start date to something earlier and click Submit 4. Refresh the page, no warning Sponsored-by: Chetco Community Public Library Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org> Signed-off-by: Katrin Fischer <katrin.fischer@bsz-bw.de>
2024-08-30 10:04:12 -07:00 · 2024-08-30 10:04:12 -07:00 · 06f17d9f6a
commit 06f17d9f6a
parent 48d8ac7bef
1 changed files with 1 additions and 2 deletions
--- a/koha-tmpl/intranet-tmpl/prog/en/modules/circ/pendingreserves.tt
+++ b/koha-tmpl/intranet-tmpl/prog/en/modules/circ/pendingreserves.tt
@ -287,8 +287,7 @@

 <div id="filters">

-<form action="/cgi-bin/koha/circ/pendingreserves.pl" method="post" >
-    [% INCLUDE 'csrf-token.inc' %]
+<form action="/cgi-bin/koha/circ/pendingreserves.pl" method="get" >
 <fieldset class="brief">
 <h4>Refine results</h4>
 <ol>