Bug 37765: Fix forms that POST without an op in systemprefernces
We intend not to have forms with method="post" without an op variable (so we
can check that the op starts with "cud-" as part of the CSRF protection), but
because of bug 37728 some were missed.
The two in systempreferences are the button to cancel deleting a local
preference, which can be fixed with no visible change, and the button to
return to the preferences list after being told that your requested deletion
has been done, which makes a visible change because right now, the whole page
that tells you the preference was deleted doesn't show at all.
Test plan:
1. Without the patch, Administration - System preferences - Local use (in the
left sidebar)
2. New system preference - Explanation and Variable are required, so make
them both Trash and Save
3. In the row for your new preference, click the Delete button
4. In the confirmation page, click the No, do not delete button
5. You'll be taken back to the list of Local use preferences. That's the
behavior that you want to see unchanged after the patch
6. Click the Delete button for your preference again, but this time click
Yes, delete
7. You'll be taken to a blank page with no category of preferences selected
or listed. That's the behavior that you want to see change with the patch
8. Apply patch, restart_all
9. Administration - System preferences - Local use - New system preference -
'Trash' for both Explanation and Variable - Save
10. In the row for the new preference, click the Delete button
11. In the confirmation page, click No, do not delete
12. Verify that it returns you to the list of Local use preferences just like
before
13. Click Delete again, but this time click Yes, delete
14. Now you should get a page saying "Data deleted" with a Back to system
preferences button. Click that button, you should return to the list
of Local use preferences, with your Trash preference gone
Sponsored-by: Chetco Community Public Library
Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
Signed-off-by: Julian Maurice <julian.maurice@biblibre.com>
Signed-off-by: Katrin Fischer <katrin.fischer@bsz-bw.de>
This commit is contained in:
Phil Ringnalda
parent
df888200a1
commit
2177010085
GPG key ID:
0EF6E2C03357A834
2 changed files with 3 additions and 4 deletions
|
|
@ -352,6 +352,7 @@ if ( $op eq 'add_form' ) {
|
|||
} elsif ( $op eq 'cud-delete_confirmed' ) {
|
||||
output_and_exit_if_error($input, $cookie, $template, { check => 'csrf_token' });
|
||||
C4::Context->delete_preference($searchfield);
|
||||
$template->param( delete_confirmed => 1 );
|
||||
# END $OP eq DELETE_CONFIRMED
|
||||
################## DEFAULT ##################################
|
||||
} else { # DEFAULT
|
||||
|
|
|
|||
|
|
@ -289,8 +289,7 @@
|
|||
<input type="hidden" name="Tvalue" value="[% Tvalue | html %]" />
|
||||
<button type="submit" class="btn btn-default approve"><i class="fa fa-check" aria-hidden="true"></i> Yes, delete</button>
|
||||
</form>
|
||||
<form class="inline" action="[% script_name | html %]" method="post">
|
||||
[% INCLUDE 'csrf-token.inc' %]
|
||||
<form class="inline" action="[% script_name | html %]" method="get">
|
||||
<button type="submit" class="btn btn-default deny"><i class="fa fa-remove" aria-hidden="true"></i> No, do not delete</button>
|
||||
</form>
|
||||
</div>
|
||||
|
|
@ -299,8 +298,7 @@
|
|||
[% IF ( delete_confirmed ) %]
|
||||
<div class="alert alert-info">
|
||||
<h1>Data deleted</h1>
|
||||
<form action="[% script_name | html %]" method="post">
|
||||
[% INCLUDE 'csrf-token.inc' %]
|
||||
<form action="[% script_name | html %]" method="get">
|
||||
<button type="submit">Back to system preferences</button>
|
||||
</form>
|
||||
</div>
|
||||
|
|
|
|||
Loading…
Reference in a new issue