From 9a8fac823bcf81a924edeb3b4b51fd60455dcc7a Mon Sep 17 00:00:00 2001
From: Owen Leonard <oleonard@myacpl.org>
Date: Wed, 12 Jun 2024 17:49:25 +0000
Subject: [PATCH] Bug 37074: Comment approval and un-approval should be
 CSRF-protected

This patch converts the "Approve" and "Unapprove" controls in the staff
client's comment moderation page so that the operations are POST instead
of GET.

To test, apply the patch and restart services.

- If necessary, enable OPACComments and submit a few comments on a few
  titles in the OPAC
- Go to Tools -> Comments
- Test the process of approving, unapproving, and deleting comments

Signed-off-by: Lucas Gass <lucas@bywatersolutions.com>

Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
Signed-off-by: Katrin Fischer <katrin.fischer@bsz-bw.de>
---
 .../prog/en/modules/reviews/reviewswaiting.tt | 19 ++++++++++++++++++-
 reviews/reviewswaiting.pl                     |  4 ++--
 2 files changed, 20 insertions(+), 3 deletions(-)

diff --git a/koha-tmpl/intranet-tmpl/prog/en/modules/reviews/reviewswaiting.tt b/koha-tmpl/intranet-tmpl/prog/en/modules/reviews/reviewswaiting.tt
index 536ab93cc2..ef991d33c7 100644
--- a/koha-tmpl/intranet-tmpl/prog/en/modules/reviews/reviewswaiting.tt
+++ b/koha-tmpl/intranet-tmpl/prog/en/modules/reviews/reviewswaiting.tt
@@ -97,10 +97,27 @@
             [% review.review | html %]
         </td>
         <td class="actions">
-            [% IF ( status ) %]<a href="/cgi-bin/koha/reviews/reviewswaiting.pl?op=unapprove&amp;reviewid=[% review.reviewid | uri %]" class="btn btn-default btn-xs"><i class="fa fa-times"></i> Unapprove</a>[% ELSE %]<a href="/cgi-bin/koha/reviews/reviewswaiting.pl?op=approve&amp;reviewid=[% review.reviewid | uri %]" class="btn btn-default btn-xs"><i class="fa fa-check"></i> Approve</a>[% END %]
+            [% IF ( review.approved ) %]
+                <form action="/cgi-bin/koha/reviews/reviewswaiting.pl" method="post">
+                    [% INCLUDE 'csrf-token.inc' %]
+                    <input type="hidden" name="op" value="cud-unapprove" />
+                    <input type="hidden" name="biblionumber" value="[% biblionumber | html %]" />
+                    <input type="hidden" name="reviewid" value="[% review.reviewid | html %]" />
+                    <button type="submit" class="btn btn-default btn-xs"><i class="fa fa-times" aria-hidden="true"></i> Unapprove</button>
+                </form>
+            [% ELSE %]
+                <form action="/cgi-bin/koha/reviews/reviewswaiting.pl" method="post">
+                    [% INCLUDE 'csrf-token.inc' %]
+                    <input type="hidden" name="op" value="cud-approve" />
+                    <input type="hidden" name="biblionumber" value="[% biblionumber | html %]" />
+                    <input type="hidden" name="reviewid" value="[% review.reviewid | html %]" />
+                    <button type="submit" class="btn btn-default btn-xs"><i class="fa fa-check" aria-hidden="true"></i> Approve</button>
+                </form>
+            [% END %]
             <form action="/cgi-bin/koha/reviews/reviewswaiting.pl" method="post">
                 [% INCLUDE 'csrf-token.inc' %]
                 <input type="hidden" name="op" value="cud-delete" />
+                <input type="hidden" name="biblionumber" value="[% biblionumber | html %]" />
                 <input type="hidden" name="reviewid" value="[% review.reviewid | html %]" />
                 <button type="submit" class="btn btn-default btn-xs delete-comment"><i class="fa fa-trash-can" aria-hidden="true"></i> Delete</button>
             </form>
diff --git a/reviews/reviewswaiting.pl b/reviews/reviewswaiting.pl
index f6bd5ff29d..b17dc8b9e1 100755
--- a/reviews/reviewswaiting.pl
+++ b/reviews/reviewswaiting.pl
@@ -42,11 +42,11 @@ my $page     = $query->param('page') || 1;
 my $count    = C4::Context->preference('numSearchResults') || 20;
 my $total    = Koha::Reviews->search_limited({ approved => $status })->count;
 
-if ( $op eq 'approve' ) {
+if ( $op eq 'cud-approve' ) {
     my $review = Koha::Reviews->find( $reviewid );
     $review->approve if $review;
 }
-elsif ( $op eq 'unapprove' ) {
+elsif ( $op eq 'cud-unapprove' ) {
     my $review = Koha::Reviews->find( $reviewid );
     $review->unapprove if $review;
 }
-- 
2.39.5