Koha-community/Koha
13
7
Fork 0
Code Issues Releases Wiki Activity

Bug 37768: Fix form that POSTs without an op in itemtype administration

Browse source 
We intend not to have forms with method="post" without an op variable (so we
can check that the op starts with "cud-" as part of the CSRF protection), but
because of bug 37728 some were missed.

For itemtype administration, that's the "No, do not delete" cancel button
when you decide not to delete an itemtype, which doesn't need to POST
anything since it's just taking you back to the list of itemtypes. The only
visible change from switching to a GET is that the URL ends with a "?" from
a GET with no params, but someone can fix that by choosing one of our various
link-as-a-cancel-button styles and switching it to a link in a bug that
doesn't block an RM_priority bug.

Test plan:
1. You aren't going to see a visible difference, so start with the patch
   applied
2. Administration - Item types
3. You need an itemtype that isn't in use to be able to delete it - ktd
   provides you with an unused Computer Files type, so click the Delete
   button for that row
4. In the "Are you sure..." page, click No, do not delete
5. Verify that you are back at the list of itemtypes, with only the "?" at
   the end of the URL to tell you that you did a GET rather than a POST

Sponsored-by: Chetco Community Public Library

Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
Signed-off-by: Katrin Fischer <katrin.fischer@bsz-bw.de>
This commit is contained in:
Phil Ringnalda 2024-08-29 16:18:52 -07:00 committed by Katrin Fischer
parent f580ab18d3
commit 1b1c8cacfb
Signed by: kfischer
GPG key ID: 0EF6E2C03357A834
1 changed files with 1 additions and 2 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

3
koha-tmpl/intranet-tmpl/prog/en/modules/admin/itemtypes.tt
View file

@ -379,8 +379,7 @@
<input type="hidden" name="op" value="cud-delete_confirmed" /><input type="hidden" name="itemtype" value="[% itemtype.itemtype | html %]" />
<button type="submit" class="btn btn-default approve"><i class="fa fa-fw fa-check"></i> Yes, delete this item type</button>
</form>
<form action="/cgi-bin/koha/admin/itemtypes.pl" method="post">
[% INCLUDE 'csrf-token.inc' %]
<form action="/cgi-bin/koha/admin/itemtypes.pl" method="get">
<button type="submit" class="btn btn-default deny"><i class="fa fa-fw fa-times"></i> No, do not delete</button>
</form>
</div>