From d45d4912e868eea0122a286ba24352c1d5cf0205 Mon Sep 17 00:00:00 2001 From: Phil Ringnalda Date: Thu, 29 Aug 2024 18:17:12 -0700 Subject: [PATCH] Bug 37783: Fix form that looks like it would POST without an op in reserve/request.tt We intend not to have forms with method="post" without an op variable (so we can check that the op starts with "cud-" as part of the CSRF protection), but because of bug 37728 some were missed. In reserve/request.tt the modal for cancelling a hold looks like it is a form that will do a POST without an op input, but in fact it requires JavaScript to work at all, and with JavaScript it clears out the div where it stashes inputs and then inserts one with the op cud-cancel. To persuade the test at xt/find-missing-op-in-forms.t that there is an op, and to let a casual skimmer of the code see what that op will be, without actually changing the behavior in any way, we can just stick the op in the div which the JS will .empty() out before sticking the same thing back in. Test plan: 1. Search for any record with an item, click Place hold, place two holds 2. In the row for the second hold, click the trash can icon to delete 3. Nothing changed from normallly cancelling a hold, did it? It shouldn't have. Sponsored-by: Chetco Community Public Library Signed-off-by: Jonathan Druart Signed-off-by: Katrin Fischer --- koha-tmpl/intranet-tmpl/prog/en/modules/reserve/request.tt | 1 + 1 file changed, 1 insertion(+) diff --git a/koha-tmpl/intranet-tmpl/prog/en/modules/reserve/request.tt b/koha-tmpl/intranet-tmpl/prog/en/modules/reserve/request.tt index c22eae2fb5..13c5317465 100644 --- a/koha-tmpl/intranet-tmpl/prog/en/modules/reserve/request.tt +++ b/koha-tmpl/intranet-tmpl/prog/en/modules/reserve/request.tt @@ -1443,6 +1443,7 @@
[% INCLUDE 'csrf-token.inc' %]
+
-- 2.39.5