From b40d8e90bd598301dfd4d1122501cb8bff3279a4 Mon Sep 17 00:00:00 2001
From: Owen Leonard <oleonard@myacpl.org>
Date: Wed, 1 May 2024 11:04:41 +0000
Subject: [PATCH] Bug 36739: Correct CSRF change to budget deletions

This is another instance of the deletion confirmation step getting
mistakenly auto-updated as if it were the deletion step. The
'delete_confirm' doesn't need the 'cud-' prefix, only the
'delete_confirmed' step.

To test, apply the patch and restart services.

- Test the process of deleting a budget.
- On the confirmation step you should see the name of the budget you're
  about to delete.
- After confirming, the deletion should complete correctly.

Signed-off-by: Caroline Cyr La Rose <caroline.cyr-la-rose@inlibro.com>

Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl>
Signed-off-by: Katrin Fischer <katrin.fischer@bsz-bw.de>
---
 admin/aqbudgetperiods.pl | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/admin/aqbudgetperiods.pl b/admin/aqbudgetperiods.pl
index 35a5522ac2..c66969a21c 100755
--- a/admin/aqbudgetperiods.pl
+++ b/admin/aqbudgetperiods.pl
@@ -145,7 +145,7 @@ elsif ( $op eq 'cud-add_validate' ) {
 }
 
 #--------------------------------------------------
-elsif ( $op eq 'cud-delete_confirm' ) {
+elsif ( $op eq 'delete_confirm' ) {
 ## delete a budget period (preparation)
     my $funds = GetBudgets({ budget_period_id => $budget_period_id });
     my $fund_count = scalar @$funds;
-- 
2.39.5