From f4b858778268730d49dc9f11d9d2d9bf6faf3f6e Mon Sep 17 00:00:00 2001 From: Emily-Rose Francoeur Date: Tue, 10 Oct 2023 13:30:43 -0400 Subject: [PATCH] Bug 35019: Add a CSRF token when deleting news I add a CSRF token as a parameter in the link for deleting a news entry, which solves the problem. TEST PLAN 1) Apply the patch 2) Go to "Tools > News > New entry" 3) "Display location" should be set to "Staff interface" 4) Fill in the fields 5) Return to the homepage 6) Delete the created news entry 7) The "Additional contents" page is displayed, and the deleted news entry no longer appears 8) Return to the homepage; the news entry no longer displays Signed-off-by: Owen Leonard Signed-off-by: Katrin Fischer Signed-off-by: Tomas Cohen Arazi Edit: adapted the template change to latest master inline Signed-off-by: Tomas Cohen Arazi --- koha-tmpl/intranet-tmpl/prog/en/modules/intranet-main.tt | 2 +- mainpage.pl | 2 ++ 2 files changed, 3 insertions(+), 1 deletion(-) diff --git a/koha-tmpl/intranet-tmpl/prog/en/modules/intranet-main.tt b/koha-tmpl/intranet-tmpl/prog/en/modules/intranet-main.tt index bbc138cb57..85feef5609 100644 --- a/koha-tmpl/intranet-tmpl/prog/en/modules/intranet-main.tt +++ b/koha-tmpl/intranet-tmpl/prog/en/modules/intranet-main.tt @@ -34,7 +34,7 @@

Posted on [% koha_new.published_on | $KohaDates %][% IF( show_author && koha_new.author ) %] by [% INCLUDE 'patron-title.inc' patron=koha_new.author %]
[% END %] [% IF ( CAN_user_tools_edit_additional_contents ) %] Edit - | Delete + | Delete | New [% END %]

diff --git a/mainpage.pl b/mainpage.pl index 855913ae72..e1c033f18a 100755 --- a/mainpage.pl +++ b/mainpage.pl @@ -37,6 +37,7 @@ use Koha::Suggestions; use Koha::BackgroundJobs; use Koha::CurbsidePickups; use Koha::Tickets; +use Koha::Token; my $query = CGI->new; @@ -69,6 +70,7 @@ my $koha_news = Koha::AdditionalContents->search_for_display( $template->param( koha_news => $koha_news, + csrf_token => Koha::Token->new->generate_csrf( { session_id => $query->cookie('CGISESSID'), } ), daily_quote => Koha::Quotes->get_daily_quote(), ); -- 2.39.5