Koha-community/Koha
13
7
Fork 0
Code Issues Releases Wiki Activity

Bug 37074: Comment approval and un-approval should be CSRF-protected

Browse source 
This patch converts the "Approve" and "Unapprove" controls in the staff
client's comment moderation page so that the operations are POST instead
of GET.

To test, apply the patch and restart services.

- If necessary, enable OPACComments and submit a few comments on a few
  titles in the OPAC
- Go to Tools -> Comments
- Test the process of approving, unapproving, and deleting comments

Signed-off-by: Lucas Gass <lucas@bywatersolutions.com>

Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
Signed-off-by: Katrin Fischer <katrin.fischer@bsz-bw.de>
This commit is contained in:
Owen Leonard 2024-06-12 17:49:25 +00:00 committed by Katrin Fischer
parent 558b900895
commit 9a8fac823b
Signed by: kfischer
GPG key ID: 0EF6E2C03357A834
2 changed files with 20 additions and 3 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

19
koha-tmpl/intranet-tmpl/prog/en/modules/reviews/reviewswaiting.tt
View file

@ -97,10 +97,27 @@
[% review.review | html %]
</td>
<td class="actions">
[% IF ( status ) %]<a href="/cgi-bin/koha/reviews/reviewswaiting.pl?op=unapprove&amp;reviewid=[% review.reviewid | uri %]" class="btn btn-default btn-xs"><i class="fa fa-times"></i> Unapprove</a>[% ELSE %]<a href="/cgi-bin/koha/reviews/reviewswaiting.pl?op=approve&amp;reviewid=[% review.reviewid | uri %]" class="btn btn-default btn-xs"><i class="fa fa-check"></i> Approve</a>[% END %]
[% IF ( review.approved ) %]
<form action="/cgi-bin/koha/reviews/reviewswaiting.pl" method="post">
[% INCLUDE 'csrf-token.inc' %]
<input type="hidden" name="op" value="cud-unapprove" />
<input type="hidden" name="biblionumber" value="[% biblionumber | html %]" />
<input type="hidden" name="reviewid" value="[% review.reviewid | html %]" />
<button type="submit" class="btn btn-default btn-xs"><i class="fa fa-times" aria-hidden="true"></i> Unapprove</button>
</form>
[% ELSE %]
<form action="/cgi-bin/koha/reviews/reviewswaiting.pl" method="post">
[% INCLUDE 'csrf-token.inc' %]
<input type="hidden" name="op" value="cud-approve" />
<input type="hidden" name="biblionumber" value="[% biblionumber | html %]" />
<input type="hidden" name="reviewid" value="[% review.reviewid | html %]" />
<button type="submit" class="btn btn-default btn-xs"><i class="fa fa-check" aria-hidden="true"></i> Approve</button>
</form>
[% END %]
<form action="/cgi-bin/koha/reviews/reviewswaiting.pl" method="post">
[% INCLUDE 'csrf-token.inc' %]
<input type="hidden" name="op" value="cud-delete" />
<input type="hidden" name="biblionumber" value="[% biblionumber | html %]" />
<input type="hidden" name="reviewid" value="[% review.reviewid | html %]" />
<button type="submit" class="btn btn-default btn-xs delete-comment"><i class="fa fa-trash-can" aria-hidden="true"></i> Delete</button>
</form>

4
reviews/reviewswaiting.pl
View file

@ -42,11 +42,11 @@ my $page = $query->param('page') || 1;
my $count = C4::Context->preference('numSearchResults') || 20;
my $total = Koha::Reviews->search_limited({ approved => $status })->count;
if ( $op eq 'approve' ) {
if ( $op eq 'cud-approve' ) {
my $review = Koha::Reviews->find( $reviewid );
$review->approve if $review;
}
elsif ( $op eq 'unapprove' ) {
elsif ( $op eq 'cud-unapprove' ) {
my $review = Koha::Reviews->find( $reviewid );
$review->unapprove if $review;
}