Marcel de Rooy
5a7dc0749f
Without this patch, it is possible to delete authority records with URL
manipulation.
Like: /cgi-bin/koha/authorities/authorities-home.pl?op=delete&authid=[XXX]
Test plan:
[1] Go to Authorities. Search for some authorities (without links).
[2] Delete an authority. Should work.
[3] Apply patch.
[4] Construct an URL like above to delete another authority. Should fail.
Under Plack this results in an internal server error, the log tells
you: Wrong CSRF token.
Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl>
Signed-off-by: Nick Clemens <nick@bywatersolutions.com>
Amended the test plan.
Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>
|
||
|---|---|---|
| .. | ||
| auth_finder.tt | ||
| authorities-home.tt | ||
| authorities.tt | ||
| blinddetail-biblio-search.tt | ||
| detail.tt | ||
| merge.tt | ||
| searchresultlist-auth.tt | ||
| searchresultlist.tt | ||