Koha-community/Koha
13
7
Fork 0
Code Issues Releases Wiki Activity

Bug 35019: Add a CSRF token when deleting news

Browse source 
I add a CSRF token as a parameter in the link for deleting a news
entry, which solves the problem.

TEST PLAN
1) Apply the patch
2) Go to "Tools > News > New entry"
3) "Display location" should be set to "Staff interface"
4) Fill in the fields
5) Return to the homepage
6) Delete the created news entry
7) The "Additional contents" page is displayed, and the deleted news
   entry no longer appears
8) Return to the homepage; the news entry no longer displays

Signed-off-by: Owen Leonard <oleonard@myacpl.org>
Signed-off-by: Katrin Fischer <katrin.fischer.83@web.de>
Signed-off-by: Tomas Cohen Arazi <tomascohen@theke.io>
Edit: adapted the template change to latest master inline
Signed-off-by: Tomas Cohen Arazi <tomascohen@theke.io>
This commit is contained in:
Emily-Rose Francoeur 2023-10-10 13:30:43 -04:00 committed by Tomas Cohen Arazi
parent d742f29d77
commit f4b8587782
Signed by: tomascohen
GPG key ID: 0A272EA1B2F3C15F
2 changed files with 3 additions and 1 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

2
koha-tmpl/intranet-tmpl/prog/en/modules/intranet-main.tt
View file

@ -34,7 +34,7 @@
<p class="newsfooter"> Posted on [% koha_new.published_on | $KohaDates %][% IF( show_author && koha_new.author ) %] by <span class="newsauthor">[% INCLUDE 'patron-title.inc' patron=koha_new.author %]<br />[% END %]
[% IF ( CAN_user_tools_edit_additional_contents ) %]
<a href="/cgi-bin/koha/tools/additional-contents.pl?op=add_form&amp;id=[% koha_new.additional_content_id | uri %]">Edit</a>
| <a class="news_delete" href="/cgi-bin/koha/tools/additional-contents.pl?op=delete_confirmed&amp;ids=[% koha_new.additional_content_id | html %]">Delete</a>
| <a class="news_delete" href="/cgi-bin/koha/tools/additional-contents.pl?op=delete_confirmed&amp;ids=[% koha_new.additional_content_id | html %]&amp;csrf_token=[% csrf_token | uri %]">Delete</a>
| <a href="/cgi-bin/koha/tools/additional-contents.pl?op=add_form">New</a>
[% END %]
</p>

2
mainpage.pl
View file

@ -37,6 +37,7 @@ use Koha::Suggestions;
use Koha::BackgroundJobs;
use Koha::CurbsidePickups;
use Koha::Tickets;
use Koha::Token;
my $query = CGI->new;
@ -69,6 +70,7 @@ my $koha_news = Koha::AdditionalContents->search_for_display(
$template->param(
koha_news => $koha_news,
csrf_token => Koha::Token->new->generate_csrf( { session_id => $query->cookie('CGISESSID'), } ),
daily_quote => Koha::Quotes->get_daily_quote(),
);