Some svc scripts (and controllers) are using using is_ajax to guess if
it's an AJAX request.
$.ajax is setting the (non standard) X-Requested-With header, but the
low level JS 'fetch' does not.
This patch set it in http-client.
Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
APIClient is not a global variable, which will make the next changes
much easier!
Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
Well, this test was silly, I was focussed on propagating an error to the
UI, but we really need to explode in this case.
Note that this requires more work as login is now broken.
Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
We are retrieving the awesome fetch modules from Vue, so that it can be
used in other areas. Here we will use it to inject the CSRF token to the
header of every POST request.
Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
Suggestion to move the CSRF check to CGI->new so that we will check it
for every request, and it will cover svc scripts as well (they are not
using get_template_and_user).
The token will be retrieve from the param list *or the csrf_token
header* (do we want to name it x-koha-csrf-token instead?).
This will be done for *every* request that are not GET: CSRF token is now
required everywhere CGI is used (side-effects possible?).
Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
Bug 36102: [TO SQUASH] (follow-up 2) Add cud-login to the login form - fix tests
Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
I *think* this change fixes a bug when starting the installer with an
expired session. I am no longer able to reproduce the problem however.
Just skip if it does not make sense.
Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
If the cookie contain an expired sessionID we need to create another
one to correctly generate the CSRF token.
Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
Hum this didn't make sense. We are not checking credentials after
checkauth.
This patch is suggesting to rename "userid" and "password" parameters
from login forms to "login_userid" and "login_password" to not interfere
with other parameters with the same name.
This looks quite correct, however I am seeing
"The form submission failed (Wrong CSRF token)."
in the log after a successful login. Which feels wrong, what's
happening?
Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
Something very weird is happening here.
There is a FIXME already, but the trick does not seem to work anymore
(?)
This patch contains some debug statements and take some screenshots.
We are reaching the cud-selectframeworks step then we are expecting the
form to submit the form with op=cud-addframeworks
BUT it seems that "op" is empty, and there is an unexpected warning from
Starman:
==> /var/log/koha/kohadev/plack-error.log <==
""
Use of uninitialized value in string ne at /usr/share/perl5/Starman/Server.pm line 304.
==> /var/log/koha/kohadev/plack-intranet-error.log <==
[2024/02/15 13:09:34] [WARN] Warning: something's wrong at /kohadevbox/koha/installer/install.pl line 89.
What's going on here??
UPDATE: This is fixed by "Bug 34478: Manual fix - Make Koha::Token use
session id not userenv id"
Bug 36102: [TO SQUASH] Fix 01-installation.t
Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
This improves display. This only comes up when you try to reset your
password after you did already.
Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
multi_renew now has a validation step
This patch also removes 2 variables that were not used ($mode and $done)
Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
This should be on its own bug. Feel free to do it if you have the
energy, I do not.
Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
We can certainly do better here (too many duplicated code in on click
functions), but it's good enouh for now...
Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
Nothing to POST, we could move to GET, but we do not have parameters. A
link is good here.
Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
This patch updates the serials toolbar and related JS so that delete,
close, and reopen are all POST operations.
The patch also fixes an incorrect op check in the subscription search
popup.
Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
The 'delete_confirm' op leads to a confirmation page, so it's GET.
The patch also consolidates JS for handling deletions, using the same
class for both the delete button in the toolbar and in the table of
lists.
Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
The template uses checks on the op value to show messages, so those
checks have to be updated with the new values.
Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
