]> git.koha-community.org Git - koha.git/commit
Bug 24673: Add CSRF token support to opac-messaging.pl v18.11.15
authorDavid Cook <dcook@prosentient.com.au>
Mon, 17 Feb 2020 06:50:49 +0000 (06:50 +0000)
committerHayley Mapley <hayleymapley@catalyst.net.nz>
Tue, 24 Mar 2020 01:33:11 +0000 (14:33 +1300)
commit7d0a0229778ba594032569c03b4042d56e5da930
treef11d055ef36bcca22840abeb0ec658682638411f
parentf97f271fd2a4e68c4ec02b940f521d648867efb5
Bug 24673: Add CSRF token support to opac-messaging.pl

This patch adds CSRF token support to opac-messaging.pl,
which allows users to manually update their messaging preferences,
but prevents bad actors from tricking people into updating their
preferences from cross-site requests.

Test plan:
0. Set SMSSendDriver global system preference to "Test" if unset
1. Log into the OPAC
2. Navigate to a URL in your browser like the following:
http://localhost:8080/cgi-bin/koha/opac-messaging.pl?modify=yes
&1=email&digest=1&2-DAYS=5&2=email&digest=2&4=email&SMSnumber=0444444444
3. Observe that the preference and SMS number update

4. Apply the patch

5. Navigate to a URL in your browser like the following:
http://localhost:8080/cgi-bin/koha/opac-messaging.pl?modify=yes
&1=email&digest=1&2-DAYS=5&2=email&digest=2&4=email&SMSnumber=0444444444
6. Observe that you get an error message of "Wrong CSRF token" instead
of the previous behaviour
7. Navigate to a URL in your browser like the following:
http://localhost:8080/cgi-bin/koha/opac-messaging.pl
8. Update "Advance notice" to 3 and update "SMS number" to 61111111111
9. Observe that the "Advance notice" and "SMS number" fields update
correctly

Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
Signed-off-by: Joy Nelson <joy@bywatersolutions.com>
(cherry picked from commit 35cdeadbdfbf75731688f71778756aab73ffb824)

Signed-off-by: Hayley Mapley <hayleymapley@catalyst.net.nz>
Signed-off-by: Hayley Mapley <hayleymapley@catalyst.net.nz>
koha-tmpl/opac-tmpl/bootstrap/en/modules/opac-messaging.tt
opac/opac-messaging.pl