Koha-community/Koha
13
7
Fork 0
Code Issues Releases Wiki Activity

Bug 34368: Add CSRF token to Content Management pages

Browse source 
This change adds a CSRF token to the Content Management pages
at additional-contents.pl.

Test plan:
0. Apply patch
1. koha-plack --restart kohadev
2. Try to add "News", "HTML customizations", and "Pages".
3. Try to delete these new content entries
4. Note that you were successful in your endeavours

JD amended patch: remove empty line removal (no need to create
unecessary conflicts)

Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>

Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl>
Signed-off-by: Tomas Cohen Arazi <tomascohen@theke.io>
(cherry picked from commit e97fae72141446b0a2fb06c454c601966e5f3494)
Signed-off-by: Fridolin Somers <fridolin.somers@biblibre.com>
(cherry picked from commit a759adc91730da7b57ced0f1baf59e83031197f9)
Signed-off-by: Matt Blenkinsop <matt.blenkinsop@ptfs-europe.com>
This commit is contained in:
David Cook 2023-07-25 05:18:00 +00:00 committed by Matt Blenkinsop
parent 0d245c936c
commit 27f44f461e
2 changed files with 5 additions and 1 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

2
koha-tmpl/intranet-tmpl/prog/en/modules/tools/additional-contents.tt
View file

@ -201,6 +201,7 @@
</div>
<form id="add_additional_content" method="post" action="/cgi-bin/koha/tools/additional-contents.pl" class="validate">
[% INCLUDE 'csrf-token.inc' %]
<input type="hidden" name="op" value="add_validate" />
<input type="hidden" name="category" value="[% category | html %]" />
<input type="hidden" name="code" value="[% additional_content.code | html %]" />
@ -452,6 +453,7 @@
<fieldset class="action"><input type="submit" class="btn btn-primary" value="Delete selected" /></fieldset>
</form>
<form action="/cgi-bin/koha/tools/additional-contents.pl" method="post" id="delete_single">
[% INCLUDE 'csrf-token.inc' %]
<input type="hidden" id="del_op" name="op" value="delete_confirmed" />
<input type="hidden" id="del_category" name="category" value="[% category | html %]" />
<input type="hidden" id="del_ids" name="ids" />

4
tools/additional-contents.pl
View file

@ -28,7 +28,7 @@ use C4::Auth qw(get_template_and_user);
use C4::Koha;
use C4::Context;
use C4::Log qw( logaction );
use C4::Output qw(output_html_with_http_headers);
use C4::Output qw(output_html_with_http_headers output_and_exit_if_error);
use C4::Languages qw(getTranslatedLanguages);
use Koha::DateUtils qw( dt_from_string output_pref );
@ -84,6 +84,7 @@ if ( $op eq 'add_form' ) {
);
}
elsif ( $op eq 'add_validate' ) {
output_and_exit_if_error($cgi, $cookie, $template, { check => 'csrf_token' });
my $location = $cgi->param('location');
my $code = $cgi->param('code');
my $branchcode = $cgi->param('branchcode') || undef;
@ -199,6 +200,7 @@ elsif ( $op eq 'add_validate' ) {
}
}
elsif ( $op eq 'delete_confirmed' ) {
output_and_exit_if_error($cgi, $cookie, $template, { check => 'csrf_token' });
my @ids = $cgi->multi_param('ids');
my $deleted = eval {