Bug 37779: Fix forms that POST without an op in tag moderation
We intend not to have forms with method="post" without an op variable (so we
can check that the op starts with "cud-" as part of the CSRF protection), but
because of bug 37728 some were missed.
There are two in tags/review.tt: the filters for term, status, reviewer, and
dates, which are better as a GET since you can then bookmark and link to a
particular set of filters, and the no-JavaScript fallback for checking whether
a term has been approved or rejected, which currently doesn't work at all,
but with a working op param then works just fine as a GET.
Test plan:
If you have to use Chrome, you're on your own for the disabling JavaScript
and getting rid of the body {display: none !important} style rule, my plan
uses Firefox's devtools to do it
1. Without the patch, Tools - Tags - change the filter from the default
status "pending" to "all", Apply, and bookmark the page
2. Open your bookmark, note that it's status "pending"
3. You can't test the no-JS fallback for term testing since it doesn't
work, so apply patch and restart_all
4. Tools - Tags - change the filter from the default status "pending"
to "all", Apply, and bookmark the page
5. Open your bookmark, note that it's status "all"
6. You need a couple of tags to test the Test feature, so open the OPAC,
log in, search for any record and add the tags approveme, rejectme
7. Back in Tools - Tags, click the Reject button to reject rejectme
8. In the Check lists input, test that approveme shows "approveme is
permitted!" and rejectme shows "rejectme is prohibited!"
8. Now to disable JavaScript, open Firefox's More tools - Web Developer
Tools. You're going to need the Style Editor, so if it's not visible
you'll want to enable it in Settings in the next step
9. Top bar, right side, there's a three-dots menu, with an option for
Settings. In Advanced settings, click the checkbox for Disable JavaScript
(which as hovering the * says, is only for that tab and only until you
close the tab or the toolbox).
10. Checking Disable JavaScript turned your page to blank white, so go to
the Style Editor, where the first thing, already selected, is an inline
style sheet with the rule "body {display: none !important}" - select all
the text of the rule and delete it, which you'll have to do on every
page load
11. In the Check lists input, test that approveme still shows "approveme
is permitted!" (after you delete the display: none !important rule, and
with a rather annoying message about "Tested 1 Term(s)." replacing the
list of terms).
Sponsored-by: Chetco Community Public Library
Signed-off-by: Sukhmandeep Benipal <sukhmandeep.benipal@inLibro.com>
Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
Signed-off-by: Katrin Fischer <katrin.fischer@bsz-bw.de>
This commit is contained in:
Phil Ringnalda
parent
663dd897d5
commit
54aad5771a
GPG key ID:
0EF6E2C03357A834
1 changed files with 3 additions and 4 deletions
|
|
@ -245,8 +245,8 @@
|
|||
<fieldset class="brief">
|
||||
<h4>Check lists</h4>
|
||||
<div class="description">Enter a word or phrase to check against approved/rejected lists: </div>
|
||||
<form method="post" action="/cgi-bin/koha/tags/review.pl">
|
||||
[% INCLUDE 'csrf-token.inc' %]
|
||||
<form method="get" action="/cgi-bin/koha/tags/review.pl">
|
||||
<input type="hidden" name="op" value="test">
|
||||
<input type="text" size="14" name="test" id="test" />
|
||||
<fieldset class="action">
|
||||
<button type="submit" value="Test" class="approval_btn btn btn-default btn-md" id="test_button" name="op-test"><i class="fas fa-check-square" aria-hidden="true"></i> Test</button>
|
||||
|
|
@ -271,8 +271,7 @@
|
|||
</div> <!-- /.col-sm-10 order-sm-1 order-md-2 -->
|
||||
<div class="col-md-2 order-sm-2 order-md-1">
|
||||
<aside>
|
||||
<form method="post" action="/cgi-bin/koha/tags/review.pl">
|
||||
[% INCLUDE 'csrf-token.inc' %]
|
||||
<form method="get" action="/cgi-bin/koha/tags/review.pl">
|
||||
<fieldset class="brief">
|
||||
<h4>Filters</h4>
|
||||
<ol>
|
||||
|
|
|
|||
Loading…
Reference in a new issue