From efd54c2bd6b04f5a282054ca811d830e5b84c75b Mon Sep 17 00:00:00 2001 From: Phil Ringnalda Date: Wed, 18 Sep 2024 19:41:50 -0700 Subject: [PATCH] Bug 37979: Toggling Item circulation alerts table cells needs to send csrf_token When you click on a cell in the Item circulation alerts table, the page sends a POST to /cgi-bin/koha/admin/item_circulation_alerts.pl without including a csrf_token, which gets back a 403 error because that's sketchy behavior. It needs to include the token. Test plan: 1. Administration - Item circulation alerts 2. Open the browser devtools to the console 3. Click on any green table cell 4. It should have turned red, but instead your console turned red with a 403 5. Apply patch, reload 6. Click on any green table cell, it will turn red Sponsored-by: Chetco Community Public Library https://bugs.koha-community.org/show_bug.cgi?id=37959 Signed-off-by: Jan Kissig Signed-off-by: Marcel de Rooy Signed-off-by: Lucas Gass --- .../prog/en/modules/admin/item_circulation_alerts.tt | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/koha-tmpl/intranet-tmpl/prog/en/modules/admin/item_circulation_alerts.tt b/koha-tmpl/intranet-tmpl/prog/en/modules/admin/item_circulation_alerts.tt index 6f94677278..704dad7458 100644 --- a/koha-tmpl/intranet-tmpl/prog/en/modules/admin/item_circulation_alerts.tt +++ b/koha-tmpl/intranet-tmpl/prog/en/modules/admin/item_circulation_alerts.tt @@ -211,7 +211,7 @@ url : '/cgi-bin/koha/admin/item_circulation_alerts.pl', type : 'POST', dataType : 'json', - data : { op: 'cud-toggle', id: id, branch: $branch }, + data : { op: 'cud-toggle', id: id, branch: $branch, csrf_token: $('meta[name="csrf-token"]').attr("content") }, success : function(response){ if ($branch == '*' && response.classes.match(/default/)) { td.html(disabledForAll); -- 2.39.5