From 21770100854c168fb49ccd0edcf1f0775919464f Mon Sep 17 00:00:00 2001 From: Phil Ringnalda Date: Wed, 28 Aug 2024 19:57:52 -0700 Subject: [PATCH] Bug 37765: Fix forms that POST without an op in systemprefernces We intend not to have forms with method="post" without an op variable (so we can check that the op starts with "cud-" as part of the CSRF protection), but because of bug 37728 some were missed. The two in systempreferences are the button to cancel deleting a local preference, which can be fixed with no visible change, and the button to return to the preferences list after being told that your requested deletion has been done, which makes a visible change because right now, the whole page that tells you the preference was deleted doesn't show at all. Test plan: 1. Without the patch, Administration - System preferences - Local use (in the left sidebar) 2. New system preference - Explanation and Variable are required, so make them both Trash and Save 3. In the row for your new preference, click the Delete button 4. In the confirmation page, click the No, do not delete button 5. You'll be taken back to the list of Local use preferences. That's the behavior that you want to see unchanged after the patch 6. Click the Delete button for your preference again, but this time click Yes, delete 7. You'll be taken to a blank page with no category of preferences selected or listed. That's the behavior that you want to see change with the patch 8. Apply patch, restart_all 9. Administration - System preferences - Local use - New system preference - 'Trash' for both Explanation and Variable - Save 10. In the row for the new preference, click the Delete button 11. In the confirmation page, click No, do not delete 12. Verify that it returns you to the list of Local use preferences just like before 13. Click Delete again, but this time click Yes, delete 14. Now you should get a page saying "Data deleted" with a Back to system preferences button. Click that button, you should return to the list of Local use preferences, with your Trash preference gone Sponsored-by: Chetco Community Public Library Signed-off-by: Jonathan Druart Signed-off-by: Julian Maurice Signed-off-by: Katrin Fischer --- admin/systempreferences.pl | 1 + .../prog/en/modules/admin/systempreferences.tt | 6 ++---- 2 files changed, 3 insertions(+), 4 deletions(-) diff --git a/admin/systempreferences.pl b/admin/systempreferences.pl index 816714034d..4561ba6578 100755 --- a/admin/systempreferences.pl +++ b/admin/systempreferences.pl @@ -352,6 +352,7 @@ if ( $op eq 'add_form' ) { } elsif ( $op eq 'cud-delete_confirmed' ) { output_and_exit_if_error($input, $cookie, $template, { check => 'csrf_token' }); C4::Context->delete_preference($searchfield); + $template->param( delete_confirmed => 1 ); # END $OP eq DELETE_CONFIRMED ################## DEFAULT ################################## } else { # DEFAULT diff --git a/koha-tmpl/intranet-tmpl/prog/en/modules/admin/systempreferences.tt b/koha-tmpl/intranet-tmpl/prog/en/modules/admin/systempreferences.tt index 14efa17638..302c7e0148 100644 --- a/koha-tmpl/intranet-tmpl/prog/en/modules/admin/systempreferences.tt +++ b/koha-tmpl/intranet-tmpl/prog/en/modules/admin/systempreferences.tt @@ -289,8 +289,7 @@ -
- [% INCLUDE 'csrf-token.inc' %] +
@@ -299,8 +298,7 @@ [% IF ( delete_confirmed ) %]

Data deleted

-
- [% INCLUDE 'csrf-token.inc' %] +