From 52f928beb013942d13d0fabf420a5ea7d2c29f6c Mon Sep 17 00:00:00 2001
From: Owen Leonard <oleonard@myacpl.org>
Date: Tue, 30 Jul 2024 12:13:23 +0000
Subject: [PATCH] Bug 37523: CSRF error when modifying an existing patron
 record
MIME-Version: 1.0
Content-Type: text/plain; charset=utf8
Content-Transfer-Encoding: 8bit

This patch modifies the patron entry template to avoid a CSRF error when
clicking the "Edit existing record" button after a duplicate patron is
found. The operation should be GET and thus can be a link.

To test, apply the patch and go to Patrons.

- If you aren't using the default testing data you should first locate
  an existing patron record so you can refer to the details.
- Start the process of creating a new patron record.
- Use the existing patron's data to fill out the form.
  - With the default data you can use:
    - Surname: Bennett
    - First name: Pamela
    - Date of birth: 09/16/1946
    - Any random new card number
- When you click "Save" you should get a duplicate patron warning:
  "Duplicate patron record?"
  - Click "It is a duplicate. Edit existing record."
  - You should be taken to the edit form for the existing patron.

Sponsored-by: Athens County Public Libraries
Signed-off-by: Roman Dolny <roman.dolny@jezuici.pl>
Signed-off-by: Johanna Räisä <johanna.raisa@gmail.com>
Signed-off-by: Emily Lamancusa <emily.lamancusa@montgomerycountymd.gov>
Signed-off-by: Katrin Fischer <katrin.fischer@bsz-bw.de>
(cherry picked from commit 2f6226ad695a7092c71ba86d06bd9d7edac8f583)
Signed-off-by: Lucas Gass <lucas@bywatersolutions.com>
---
 .../prog/en/modules/members/memberentrygen.tt            | 9 +--------
 1 file changed, 1 insertion(+), 8 deletions(-)

diff --git a/koha-tmpl/intranet-tmpl/prog/en/modules/members/memberentrygen.tt b/koha-tmpl/intranet-tmpl/prog/en/modules/members/memberentrygen.tt
index 6877ef453f..fe81a88bb8 100644
--- a/koha-tmpl/intranet-tmpl/prog/en/modules/members/memberentrygen.tt
+++ b/koha-tmpl/intranet-tmpl/prog/en/modules/members/memberentrygen.tt
@@ -144,7 +144,7 @@ legend.collapsed i.fa.fa-caret-down::before {
                             <div class="dialog alert">
                                 <h3>Duplicate patron record?</h3>
                                 <p><a class="popup_patronview" href="/cgi-bin/koha/members/moremember.pl?print=brief&amp;borrowernumber=[% check_member | uri %]"><i class="fa-solid fa-window-restore"></i> View existing record</a></p>
-                                <button id="duplicate" type="submit" class="new"> <i class="fa-solid fa-pencil" aria-hidden="true"></i> It is a duplicate. Edit existing record </button>
+                                <a href="/cgi-bin/koha/members/memberentry.pl?op=edit_form&borrowernumber=[% check_member | uri %]" class="btn btn-default" id="duplicate"> <i class="fa-solid fa-pencil" aria-hidden="true"></i> It is a duplicate. Edit existing record </a>
                                 <button type="submit" id="not-duplicate" class="new"> <i class="fa fa-plus"></i> Not a duplicate. Save as new record </button>
                             </div>
                         [% END %]
@@ -1951,13 +1951,6 @@ legend.collapsed i.fa.fa-caret-down::before {
                 }
             });
 
-            $('#duplicate').on('click', function() {
-                $("input[name='op']").val('edit_form');
-                $("input[name='borrowernumber']").val('[% check_member | html %]');
-                $("input[name='check_member']").val('');
-                $('#entryform').submit();
-            });
-
             $('#not-duplicate').on('click', function() {
                 $("input[name='nodouble']").val('1');
                 $('#entryform').submit();
-- 
2.39.5