Koha-community/Koha
13
7
Fork 0
Code Issues Releases Wiki Activity

Bug 37767: Fix forms that POST without an op in Authority types

Browse source 
We intend not to have forms with method="post" without an op variable (so we
can check that the op starts with "cud-" as part of the CSRF protection), but
because of bug 37728 some were missed.

In Authority types, that's dead code in the template that expects to show a
"Data deleted" confirmation page, but it never shows because rather than
setting the variable delete_confirmed and outputting the template, the op
cud-delete_confirmed just does a print $input->redirect() and exits, and, the
search for tags form that should be a GET so it can be bookmarked and linked
to.

Test plan:
 1. Without the patch, Administration - Authority types - choose one other
    than default, so you can see the code rather than "" in the URL -
    Actions - MARC structure
 2. For any tag (you *are* testing in a throwaway database, right?) click
    Actions - Delete then Yes, delete
 3. Note that you don't get a confirmation page, just redirected back to a
    search for your tag which no longer exists, with the searchfield and
    authtypecode nicely in the URL
 4. Click the Search button for the Search for tag form, without changing
    anything
 5. Note that your URL lost the searchfield and authtypecode
 6. Apply patch, restart_all
 7. Repeat steps 1, 2, and 3, with identical results like they should be
 8. Repeat step 4, but this time note that the searchfield and authtypecode
    stay in the URL.
 9. Change the select menu for In framework and click Search, note that
    the searchfield and frameworkcode are still in the URL and still correct
    and that the correct results show
10. Change the tag number and hit Enter, and verify that the URL and the
    page show the correct results

Sponsored-by: Chetco Community Public Library
Signed-off-by: Sukhmandeep Benipal <sukhmandeep.benipal@inLibro.com>

Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
Signed-off-by: Katrin Fischer <katrin.fischer@bsz-bw.de>
This commit is contained in:
Phil Ringnalda 2024-08-29 17:34:36 -07:00 committed by Katrin Fischer
parent 26de0bfaa0
commit e03aecfd50
Signed by: kfischer
GPG key ID: 0EF6E2C03357A834
1 changed files with 1 additions and 12 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

13
koha-tmpl/intranet-tmpl/prog/en/modules/admin/auth_tag_structure.tt
View file

@ -200,16 +200,6 @@
</div>
[% END %]
[% IF ( delete_confirmed ) %]
<div class="alert alert-info"> <h3>Data deleted</h3>
<form action="[% script_name | html %]" method="post">
[% INCLUDE 'csrf-token.inc' %]
<input type="hidden" name="authtypecode" value="[% authtypecode | html %]" />
<input type="hidden" name="searchfield" value="[% searchfield | html %]" />
<input type="submit" value="OK" class="btn btn-primary" />
</form></div>
[% END %]
[% IF ( authtype_create ) %]
<form action="[% script_name | html %]" method="post">
@ -233,8 +223,7 @@
[% IF ( else ) %]
<form action="[% script_name | html %]" method="post">
[% INCLUDE 'csrf-token.inc' %]
<form action="[% script_name | html %]" method="get">
<fieldset>
<label for="searchfield"><strong>Search for tag:</strong></label>
<input type="text" id="searchfield" name="searchfield" size="4" value="[% searchfield | html %]" />