From bc1af60e1ac8c9b7de5aab79239899ad2a437345 Mon Sep 17 00:00:00 2001
From: Janusz Kaczmarek <januszop@gmail.com>
Date: Wed, 2 Oct 2024 18:04:56 +0000
Subject: [PATCH] Bug 38065: Auto control number (001) widget in advanced
 editor does not work under CSRF protection

Auto control number (001) widget in advanced editor does not work under
CSRF protection.  A token should be passed to POST ...
control_num_sequences call.

Test plan:
==========

1. Verify that the CONTROL_NUM_SEQUENCE category in authorized values is
   present.
3. Add a new authorized value for CONTROL_NUM_SEQUENCE:
     b) authorised value: sprLib0001
     c) in Description - a short string indicating the type of control
     number i.e. "Springfield Library"
4. Create a new bib record using the advanced editor, insert a 001
   field, note that the 001 widget is there.  Click on "Assign next". There
   should be no effect (and you could see [HTTP/1.1 403 Forbidden 706ms] in
   the browser console).
5. Apply the patch ; restart_all ; reload the browser.
6. Repeat p. 4.  You should get the content of the 001 field generated
   by the widget.

Signed-off-by: Roman Dolny <roman.dolny@jezuici.pl>
Signed-off-by: David Cook <dcook@prosentient.com.au>
Signed-off-by: Katrin Fischer <katrin.fischer@bsz-bw.de>
---
 .../prog/en/includes/cateditor-widgets-marc21.inc              | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/koha-tmpl/intranet-tmpl/prog/en/includes/cateditor-widgets-marc21.inc b/koha-tmpl/intranet-tmpl/prog/en/includes/cateditor-widgets-marc21.inc
index 26cadeda16..67a9c120f2 100644
--- a/koha-tmpl/intranet-tmpl/prog/en/includes/cateditor-widgets-marc21.inc
+++ b/koha-tmpl/intranet-tmpl/prog/en/includes/cateditor-widgets-marc21.inc
@@ -152,8 +152,9 @@ require( [ 'koha-backend', 'widget', 'text-marc' ], function( KohaBackend, Widge
                 $( this.node )
                     .find('.control-number-widget-assign').click( function() {
                         var sequence = $( widget.node ).find('.control-number-widget-sequence').val();
+                        const token = $("input[name='csrf_token']").first().val();
                         $.post(
-                            '/cgi-bin/koha/svc/cataloguing/control_num_sequences/' + sequence
+                            '/cgi-bin/koha/svc/cataloguing/control_num_sequences/' + sequence + '?csrf_token=' + token
                         ).done( function( result ) {
                             if ( result.next_value ) widget.setControlNumber( result.next_value );
                         } );
-- 
2.39.5