Bug 37769: Fix forms that POST without an op in currency administration

We intend not to have forms with method="post" without an op variable (so we
can check that the op starts with "cud-" as part of the CSRF protection), but
because of bug 37728 some were missed.

This patch changes the form around the OK button when you are told you can't
delete a currency which is in use, and the No, do not delete button when you
could delete a currency and decide not to, from a POST to a GET because all
they need to do is show the list of currencies again.

The only visible change from the patch is that the URL will end with a "?"
from having done a GET without any params. Someone who wants to decide
which of our link-as-cancel-button styles to use is welcome to switch them
to links, in a bug not blocking an RM_priority bug.

Test plan:
1. No changes to see, so apply the patch first
2. Administration - Currencies and exchange rates
3. You need one currency in use and one not in use. Luckily, ktd gave you
   USD for in use, and GBP for not in use. For USD, click the Deleete button
4. On the page telling you that you can't delete it because it's in use,
   click the OK button and verify that you are back at the list of currencies
5. Click the Delete button for GBP, then the No, do not delete button
6. Verify that you are back at the list of currencies

Sponsored-by: Chetco Community Public Library
Signed-off-by: Sukhmandeep Benipal <sukhmandeep.benipal@inLibro.com>

Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
Signed-off-by: Katrin Fischer <katrin.fischer@bsz-bw.de>
This commit is contained in:
Phil Ringnalda 2024-08-29 15:31:50 -07:00 committed by Katrin Fischer
parent e03aecfd50
commit 81bc750e00
Signed by: kfischer
GPG key ID: 0EF6E2C03357A834

View file

@ -180,8 +180,7 @@
[% END %] [% END %]
<span>Deletion not possible</span> <span>Deletion not possible</span>
</p> </p>
<form action="/cgi-bin/koha/admin/currency.pl" method="post"> <form action="/cgi-bin/koha/admin/currency.pl" method="get">
[% INCLUDE 'csrf-token.inc' %]
<button type="submit" class="btn btn-default approve"><i class="fa fa-fw fa-check"></i> OK</button> <button type="submit" class="btn btn-default approve"><i class="fa fa-fw fa-check"></i> OK</button>
</form> </form>
</div> </div>
@ -202,8 +201,7 @@
<input type="hidden" name="currency_code" value="[% currency.currency | html %]" /> <input type="hidden" name="currency_code" value="[% currency.currency | html %]" />
<button type="submit" class="btn btn-default approve"><i class="fa fa-fw fa-check"></i> Yes, delete this currency</button> <button type="submit" class="btn btn-default approve"><i class="fa fa-fw fa-check"></i> Yes, delete this currency</button>
</form> </form>
<form action="/cgi-bin/koha/admin/currency.pl" method="post"> <form action="/cgi-bin/koha/admin/currency.pl" method="get">
[% INCLUDE 'csrf-token.inc' %]
<button type="submit" class="btn btn-default deny"><i class="fa fa-fw fa-times"></i> No, do not delete</button> <button type="submit" class="btn btn-default deny"><i class="fa fa-fw fa-times"></i> No, do not delete</button>
</form> </form>
</div> </div>