From 54aad5771a7c492c70e53e7b52d8989c5b427cf5 Mon Sep 17 00:00:00 2001 From: Phil Ringnalda Date: Thu, 29 Aug 2024 21:10:13 -0700 Subject: [PATCH] Bug 37779: Fix forms that POST without an op in tag moderation We intend not to have forms with method="post" without an op variable (so we can check that the op starts with "cud-" as part of the CSRF protection), but because of bug 37728 some were missed. There are two in tags/review.tt: the filters for term, status, reviewer, and dates, which are better as a GET since you can then bookmark and link to a particular set of filters, and the no-JavaScript fallback for checking whether a term has been approved or rejected, which currently doesn't work at all, but with a working op param then works just fine as a GET. Test plan: If you have to use Chrome, you're on your own for the disabling JavaScript and getting rid of the body {display: none !important} style rule, my plan uses Firefox's devtools to do it 1. Without the patch, Tools - Tags - change the filter from the default status "pending" to "all", Apply, and bookmark the page 2. Open your bookmark, note that it's status "pending" 3. You can't test the no-JS fallback for term testing since it doesn't work, so apply patch and restart_all 4. Tools - Tags - change the filter from the default status "pending" to "all", Apply, and bookmark the page 5. Open your bookmark, note that it's status "all" 6. You need a couple of tags to test the Test feature, so open the OPAC, log in, search for any record and add the tags approveme, rejectme 7. Back in Tools - Tags, click the Reject button to reject rejectme 8. In the Check lists input, test that approveme shows "approveme is permitted!" and rejectme shows "rejectme is prohibited!" 8. Now to disable JavaScript, open Firefox's More tools - Web Developer Tools. You're going to need the Style Editor, so if it's not visible you'll want to enable it in Settings in the next step 9. Top bar, right side, there's a three-dots menu, with an option for Settings. In Advanced settings, click the checkbox for Disable JavaScript (which as hovering the * says, is only for that tab and only until you close the tab or the toolbox). 10. Checking Disable JavaScript turned your page to blank white, so go to the Style Editor, where the first thing, already selected, is an inline style sheet with the rule "body {display: none !important}" - select all the text of the rule and delete it, which you'll have to do on every page load 11. In the Check lists input, test that approveme still shows "approveme is permitted!" (after you delete the display: none !important rule, and with a rather annoying message about "Tested 1 Term(s)." replacing the list of terms). Sponsored-by: Chetco Community Public Library Signed-off-by: Sukhmandeep Benipal Signed-off-by: Jonathan Druart Signed-off-by: Katrin Fischer --- koha-tmpl/intranet-tmpl/prog/en/modules/tags/review.tt | 7 +++---- 1 file changed, 3 insertions(+), 4 deletions(-) diff --git a/koha-tmpl/intranet-tmpl/prog/en/modules/tags/review.tt b/koha-tmpl/intranet-tmpl/prog/en/modules/tags/review.tt index d67435a885..514accf477 100644 --- a/koha-tmpl/intranet-tmpl/prog/en/modules/tags/review.tt +++ b/koha-tmpl/intranet-tmpl/prog/en/modules/tags/review.tt @@ -245,8 +245,8 @@

Check lists

Enter a word or phrase to check against approved/rejected lists:
-
- [% INCLUDE 'csrf-token.inc' %] + +
@@ -271,8 +271,7 @@