From bba164856c1c4dfd1ec8e346c9b9d32955fdcad9 Mon Sep 17 00:00:00 2001
From: Janusz Kaczmarek <januszop@gmail.com>
Date: Mon, 30 Sep 2024 09:22:03 +0000
Subject: [PATCH] Bug 38030: stocknumberAV.pl fails with CSRF protection

The value builder stocknumberAV.pl does not work after applying the CSRF
protection. In console, it generates entries like:

POST
http://localhost:8081/cgi-bin/koha/cataloguing/plugin_launcher.pl
[HTTP/1.1 403 Forbidden 188ms]

Test plan:
==========
1. Modify the MARC bibliographic framework for the default framework by
   choosing stocknumberAV.pl as plugin for subfield 952 $i.
2. In Authorized values, add a new category 'INVENTORY'.  Add a new
   entry there, e.g. 'ABC', with any number in Description (eg. 123).
3. Find any bibliographic record, make sure it uses the default framework.
   If not set the framework accordingly.
4. Edit an item linked to this record.  Go to the 'i - Inventory number'
   subfield.  You should see three dots on the right.  In the input field
   put ABC and click the three dots.
5. Nothing happens.  You can check in the browser console--there should
   be a message like:
   POST http://FQDN:8081/cgi-bin/koha/cataloguing/plugin_launcher.pl
   [HTTP/1.1 403 Forbidden 188ms]
6. Apply the patch; restart_all.  Refresh the browser window.
7. Repeat p. 4.  You should now get the next sequence number next to
   the 'ABC' (i.e. ABC 0000000124 or similar).

Sponsored-by: Ignatianum University in Cracow
Signed-off-by: Roman Dolny <roman.dolny@jezuici.pl>
Signed-off-by: David Cook <dcook@prosentient.com.au>
Signed-off-by: Katrin Fischer <katrin.fischer@bsz-bw.de>
---
 cataloguing/value_builder/stocknumberAV.pl | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/cataloguing/value_builder/stocknumberAV.pl b/cataloguing/value_builder/stocknumberAV.pl
index c158ec7688..92e6e59dc0 100755
--- a/cataloguing/value_builder/stocknumberAV.pl
+++ b/cataloguing/value_builder/stocknumberAV.pl
@@ -50,8 +50,9 @@ my $builder = sub {
         function Click$params->{id}(ev) {
                 ev.preventDefault();
                 var code = document.getElementById(ev.data.id);
+                const token = document.getElementsByName('csrf_token')[0].value;
                 \$.ajax({
-                    url: '/cgi-bin/koha/cataloguing/plugin_launcher.pl',
+                    url: '/cgi-bin/koha/cataloguing/plugin_launcher.pl?csrf_token=' + token,
                     type: 'POST',
                     data: {
                         'plugin_name': 'stocknumberAV.pl',
-- 
2.39.5