From d0a3ae57c077ef136d5e422f6b18f57a2c40dfd8 Mon Sep 17 00:00:00 2001
From: David Cook <dcook@prosentient.com.au>
Date: Wed, 30 Aug 2023 00:28:53 +0000
Subject: [PATCH] Bug 34650: Convert list toolbar delete into form POST

This patch adds a HTML form with a CSRF token to POST the list delete,
which is triggered by a click handler on the A element. The A element
is still needed for existing style reasons.

Test plan:
0. Apply patch
1. koha-plack --reload kohadev
2. In the staff interface, add a list
3. Go into that list (e.g. virtualshelves/shelves.pl?op=view&shelfnumber=X)
4. From the toolbar click the "Edit" dropdown
5. From the dropdown try either "Edit list" or "Delete list"
6. Note no CSRF error and operation completes as expected

Signed-off-by: Lucas Gass <lucas@bywatersolutions.com>

Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl>
Signed-off-by: Tomas Cohen Arazi <tomascohen@theke.io>
(cherry picked from commit 5d3b7cf08949d5776b732f24cefcbe377260c281)
Signed-off-by: Fridolin Somers <fridolin.somers@biblibre.com>
(cherry picked from commit 0c4fe03c2331e2fc255e955312fcd4c5c9606225)
Signed-off-by: Matt Blenkinsop <matt.blenkinsop@ptfs-europe.com>
---
 .../prog/en/includes/virtualshelves-toolbar.inc          | 9 ++++++++-
 .../prog/en/modules/virtualshelves/shelves.tt            | 8 ++++++++
 2 files changed, 16 insertions(+), 1 deletion(-)

diff --git a/koha-tmpl/intranet-tmpl/prog/en/includes/virtualshelves-toolbar.inc b/koha-tmpl/intranet-tmpl/prog/en/includes/virtualshelves-toolbar.inc
index c5a6306a78..7f2c3b07c3 100644
--- a/koha-tmpl/intranet-tmpl/prog/en/includes/virtualshelves-toolbar.inc
+++ b/koha-tmpl/intranet-tmpl/prog/en/includes/virtualshelves-toolbar.inc
@@ -17,7 +17,14 @@
             <button class="btn btn-default dropdown-toggle" data-toggle="dropdown"><i class="fa fa-pencil"></i> Edit <span class="caret"></span></button>
             <ul class="dropdown-menu">
                 <li><a href="/cgi-bin/koha/virtualshelves/shelves.pl?op=edit_form&amp;shelfnumber=[% shelf.shelfnumber | uri %]&amp;referer=[% op | uri %]">Edit list</a></li>
-                <li><a id="deleteshelf" href="/cgi-bin/koha/virtualshelves/shelves.pl?op=delete&amp;shelfnumber=[% shelf.shelfnumber | html %]">Delete list</a></li>
+                <li>
+                    <a id="deleteshelf_toolbar" href="#">Delete list</a>
+                    <form id="deleteshelf_toolbar_form" action="shelves.pl" method="post">
+                        [% INCLUDE 'csrf-token.inc' %]
+                        <input type="hidden" name="op" value="delete">
+                        <input type="hidden" name="shelfnumber" value="[% shelf.shelfnumber | html %]">
+                    </form>
+                </li>
             </ul>
         </div>
         [% END %]
diff --git a/koha-tmpl/intranet-tmpl/prog/en/modules/virtualshelves/shelves.tt b/koha-tmpl/intranet-tmpl/prog/en/modules/virtualshelves/shelves.tt
index b70b7e60b6..16dfac16e3 100644
--- a/koha-tmpl/intranet-tmpl/prog/en/modules/virtualshelves/shelves.tt
+++ b/koha-tmpl/intranet-tmpl/prog/en/modules/virtualshelves/shelves.tt
@@ -941,6 +941,14 @@
                         e.preventDefault();
                     }
                 });
+                $("#deleteshelf_toolbar").on('click',function(e){
+                    if(confirm(_("Are you sure you want to delete this list?"))){
+                        $("#deleteshelf_toolbar_form").submit();
+                        return false;
+                    } else {
+                        e.preventDefault();
+                    }
+                });
              });
 
         [% END %]
-- 
2.39.2