Bug 37914: Forms for budget planning filters and export should GET rather than POST

Because of the bug 36192 CSRF protection, we intend not to have forms that
POST without a param named 'op' with a value starting with 'cud-'. Because
of bug 37728, a few were missed, including the 'Filters' form that lets you
switch between planning budgets by month or by itemtype or by library, and
the 'Export' form that lets you save your planning as a .csv file. Neither
one has any need to POST, they can just be the GET they naturally are.

Alas, the default data won't let you exercise everything, so there's a lot of
setup before the actual testing.

Test plan:
 1. Patrons - search for Acevedo - More-> Set permissions - check
    Acquisitions management and Save
 2. Administration - Authorized values - Asort1 - New authorized value for
    Asort1 - value Q1, description First Quarter, then repeat for Q2, Q3, Q4
 3. Administration - Budgets - New budget - give it a start date of today,
    end date of a year from today, a description, a total amount of
    100000.00, for Statistic 1 done on choose Asort1
 4. Click the name of your new budget - New-> New fund for (name) - give it
    the code my, name My money, amount 75000.00 and Submit
 5. New-> New fund for (name) - give it the code his, name Henry's money,
    amount 25000.00, and click Select owner, find Henry and Select, then
    Submit
 6. Acquisitions - click Search on an empty search box to find the only
    vendor - New-> Basket - Give it a name and Save
 7. Add to basket - From an existing record (search for something like Perl)
    click any bib record - Add order - set the required item type and click
    Add item
 8. Scroll down to the Accounting details form, change Fund to My money, and
    enter 20.00 for the Vendor price and click Save. You just made that
    fund "active" in the eyes of the Filter form, by spending some of it.
 9. Finally set up. Administration - Budgets - click the name of your budget
10. Planning-> Plan by months
11. In the upper left Filter box, check Show my funds only and Submit - you
    should see Henry's money disappear
12. Uncheck Show my funds only and check Show active funds only and Submit -
    you should see Henry's money disappear
13. Check Show actual/estimated values and Submit, you should see text for
    the actual (only in this month, since that's all you spent) and wee
    little shrunken text boxes for the planning numbers
14. Uncheck all the boxes and change the dropdown from by months to by Asort1
    (either one of it, there being two is bug 34159) and Submit, you should
    have four columns for Q1 - Q4 and only for My money, since Henry doesn't
    use Asort1
15. Click the Auto-fill row button, and Save
16. In the Export form (which isn't much of a form, since you only have a
    choice for the filename) click Submit
17. You should have downloaded a .csv file, and if you open it it should
    have the info from your current planning form.
18. Apply patch, restart_all
19. Repeat steps 9-17, getting the same results you did without the patch

Sponsored-by: Chetco Community Public Library
Signed-off-by: Sukhmandeep Benipal <sukhmandeep.benipal@inLibro.com>

Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
Signed-off-by: Katrin Fischer <katrin.fischer@bsz-bw.de>
This commit is contained in:
Phil Ringnalda 2024-09-12 15:39:46 -07:00 committed by Katrin Fischer
parent 9e43658e6f
commit e21419b733
Signed by: kfischer
GPG key ID: 0EF6E2C03357A834

View file

@ -206,8 +206,7 @@
<div class="col-md-2 order-sm-2 order-md-1"> <div class="col-md-2 order-sm-2 order-md-1">
<aside> <aside>
<form method="post" action="/cgi-bin/koha/admin/aqplan.pl"> <form method="get" action="/cgi-bin/koha/admin/aqplan.pl">
[% INCLUDE 'csrf-token.inc' %]
<input type="hidden" name="budget_period_id" value="[% budget_period_id | html %]" /> <input type="hidden" name="budget_period_id" value="[% budget_period_id | html %]" />
<fieldset class="brief"> <fieldset class="brief">
<h4>Filter</h4> <h4>Filter</h4>
@ -263,12 +262,10 @@
</fieldset> </fieldset>
<fieldset class="action"> <fieldset class="action">
<input type="submit" name="option_submit" class="btn btn-primary" value="Submit" /> <input type="submit" name="option_submit" class="btn btn-primary" value="Submit" />
<input type="hidden" name="budget_period_id" value="[% budget_period_id | html %]" />
</fieldset> </fieldset>
</form> </form>
[% IF ( budget_lines ) %] [% IF ( budget_lines ) %]
<form method="post" action="/cgi-bin/koha/admin/aqplan.pl"> <form method="get" action="/cgi-bin/koha/admin/aqplan.pl">
[% INCLUDE 'csrf-token.inc' %]
<fieldset class="brief"> <fieldset class="brief">
<h4>Export</h4> <h4>Export</h4>
<ol> <ol>