From bc1af60e1ac8c9b7de5aab79239899ad2a437345 Mon Sep 17 00:00:00 2001 From: Janusz Kaczmarek Date: Wed, 2 Oct 2024 18:04:56 +0000 Subject: [PATCH] Bug 38065: Auto control number (001) widget in advanced editor does not work under CSRF protection Auto control number (001) widget in advanced editor does not work under CSRF protection. A token should be passed to POST ... control_num_sequences call. Test plan: ========== 1. Verify that the CONTROL_NUM_SEQUENCE category in authorized values is present. 3. Add a new authorized value for CONTROL_NUM_SEQUENCE: b) authorised value: sprLib0001 c) in Description - a short string indicating the type of control number i.e. "Springfield Library" 4. Create a new bib record using the advanced editor, insert a 001 field, note that the 001 widget is there. Click on "Assign next". There should be no effect (and you could see [HTTP/1.1 403 Forbidden 706ms] in the browser console). 5. Apply the patch ; restart_all ; reload the browser. 6. Repeat p. 4. You should get the content of the 001 field generated by the widget. Signed-off-by: Roman Dolny Signed-off-by: David Cook Signed-off-by: Katrin Fischer --- .../prog/en/includes/cateditor-widgets-marc21.inc | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/koha-tmpl/intranet-tmpl/prog/en/includes/cateditor-widgets-marc21.inc b/koha-tmpl/intranet-tmpl/prog/en/includes/cateditor-widgets-marc21.inc index 26cadeda16..67a9c120f2 100644 --- a/koha-tmpl/intranet-tmpl/prog/en/includes/cateditor-widgets-marc21.inc +++ b/koha-tmpl/intranet-tmpl/prog/en/includes/cateditor-widgets-marc21.inc @@ -152,8 +152,9 @@ require( [ 'koha-backend', 'widget', 'text-marc' ], function( KohaBackend, Widge $( this.node ) .find('.control-number-widget-assign').click( function() { var sequence = $( widget.node ).find('.control-number-widget-sequence').val(); + const token = $("input[name='csrf_token']").first().val(); $.post( - '/cgi-bin/koha/svc/cataloguing/control_num_sequences/' + sequence + '/cgi-bin/koha/svc/cataloguing/control_num_sequences/' + sequence + '?csrf_token=' + token ).done( function( result ) { if ( result.next_value ) widget.setControlNumber( result.next_value ); } ); -- 2.39.5