From e03aecfd50807ed41f54859c60a35f1d61376678 Mon Sep 17 00:00:00 2001 From: Phil Ringnalda Date: Thu, 29 Aug 2024 17:34:36 -0700 Subject: [PATCH] Bug 37767: Fix forms that POST without an op in Authority types We intend not to have forms with method="post" without an op variable (so we can check that the op starts with "cud-" as part of the CSRF protection), but because of bug 37728 some were missed. In Authority types, that's dead code in the template that expects to show a "Data deleted" confirmation page, but it never shows because rather than setting the variable delete_confirmed and outputting the template, the op cud-delete_confirmed just does a print $input->redirect() and exits, and, the search for tags form that should be a GET so it can be bookmarked and linked to. Test plan: 1. Without the patch, Administration - Authority types - choose one other than default, so you can see the code rather than "" in the URL - Actions - MARC structure 2. For any tag (you *are* testing in a throwaway database, right?) click Actions - Delete then Yes, delete 3. Note that you don't get a confirmation page, just redirected back to a search for your tag which no longer exists, with the searchfield and authtypecode nicely in the URL 4. Click the Search button for the Search for tag form, without changing anything 5. Note that your URL lost the searchfield and authtypecode 6. Apply patch, restart_all 7. Repeat steps 1, 2, and 3, with identical results like they should be 8. Repeat step 4, but this time note that the searchfield and authtypecode stay in the URL. 9. Change the select menu for In framework and click Search, note that the searchfield and frameworkcode are still in the URL and still correct and that the correct results show 10. Change the tag number and hit Enter, and verify that the URL and the page show the correct results Sponsored-by: Chetco Community Public Library Signed-off-by: Sukhmandeep Benipal Signed-off-by: Jonathan Druart Signed-off-by: Katrin Fischer --- .../prog/en/modules/admin/auth_tag_structure.tt | 13 +------------ 1 file changed, 1 insertion(+), 12 deletions(-) diff --git a/koha-tmpl/intranet-tmpl/prog/en/modules/admin/auth_tag_structure.tt b/koha-tmpl/intranet-tmpl/prog/en/modules/admin/auth_tag_structure.tt index fa0974bc4f..7f6500c938 100644 --- a/koha-tmpl/intranet-tmpl/prog/en/modules/admin/auth_tag_structure.tt +++ b/koha-tmpl/intranet-tmpl/prog/en/modules/admin/auth_tag_structure.tt @@ -200,16 +200,6 @@ [% END %] -[% IF ( delete_confirmed ) %] - -

Data deleted

-
- [% INCLUDE 'csrf-token.inc' %] - - - -
-[% END %] [% IF ( authtype_create ) %]
@@ -233,8 +223,7 @@ [% IF ( else ) %] - - [% INCLUDE 'csrf-token.inc' %] +
-- 2.39.5