From 81bc750e00980285ef93674e10be46a719d1e95c Mon Sep 17 00:00:00 2001
From: Phil Ringnalda <phil@chetcolibrary.org>
Date: Thu, 29 Aug 2024 15:31:50 -0700
Subject: [PATCH] Bug 37769: Fix forms that POST without an op in currency
 administration

We intend not to have forms with method="post" without an op variable (so we
can check that the op starts with "cud-" as part of the CSRF protection), but
because of bug 37728 some were missed.

This patch changes the form around the OK button when you are told you can't
delete a currency which is in use, and the No, do not delete button when you
could delete a currency and decide not to, from a POST to a GET because all
they need to do is show the list of currencies again.

The only visible change from the patch is that the URL will end with a "?"
from having done a GET without any params. Someone who wants to decide
which of our link-as-cancel-button styles to use is welcome to switch them
to links, in a bug not blocking an RM_priority bug.

Test plan:
1. No changes to see, so apply the patch first
2. Administration - Currencies and exchange rates
3. You need one currency in use and one not in use. Luckily, ktd gave you
   USD for in use, and GBP for not in use. For USD, click the Deleete button
4. On the page telling you that you can't delete it because it's in use,
   click the OK button and verify that you are back at the list of currencies
5. Click the Delete button for GBP, then the No, do not delete button
6. Verify that you are back at the list of currencies

Sponsored-by: Chetco Community Public Library
Signed-off-by: Sukhmandeep Benipal <sukhmandeep.benipal@inLibro.com>

Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
Signed-off-by: Katrin Fischer <katrin.fischer@bsz-bw.de>
---
 koha-tmpl/intranet-tmpl/prog/en/modules/admin/currency.tt | 6 ++----
 1 file changed, 2 insertions(+), 4 deletions(-)

diff --git a/koha-tmpl/intranet-tmpl/prog/en/modules/admin/currency.tt b/koha-tmpl/intranet-tmpl/prog/en/modules/admin/currency.tt
index 07665671b0..0cf35c914d 100644
--- a/koha-tmpl/intranet-tmpl/prog/en/modules/admin/currency.tt
+++ b/koha-tmpl/intranet-tmpl/prog/en/modules/admin/currency.tt
@@ -180,8 +180,7 @@
             [% END %]
             <span>Deletion not possible</span>
         </p>
-        <form action="/cgi-bin/koha/admin/currency.pl" method="post">
-            [% INCLUDE 'csrf-token.inc' %]
+        <form action="/cgi-bin/koha/admin/currency.pl" method="get">
             <button type="submit" class="btn btn-default approve"><i class="fa fa-fw fa-check"></i> OK</button>
         </form>
     </div>
@@ -202,8 +201,7 @@
             <input type="hidden" name="currency_code" value="[% currency.currency | html %]" />
             <button type="submit" class="btn btn-default approve"><i class="fa fa-fw fa-check"></i> Yes, delete this currency</button>
         </form>
-        <form action="/cgi-bin/koha/admin/currency.pl" method="post">
-            [% INCLUDE 'csrf-token.inc' %]
+        <form action="/cgi-bin/koha/admin/currency.pl" method="get">
             <button type="submit" class="btn btn-default deny"><i class="fa fa-fw fa-times"></i> No, do not delete</button>
         </form>
     </div>
-- 
2.39.5