From 631a80aaee684e243ab9ce51f72a866270145666 Mon Sep 17 00:00:00 2001 From: Pedro Amorim Date: Tue, 2 Apr 2024 11:28:59 +0000 Subject: [PATCH] Bug 35106: CSRF fix The removal of 'cud-' from op needs to happen sooner because ill-requests.tt expects 'edit_action' op, not 'cud-edit_action'. Signed-off-by: Pedro Amorim Signed-off-by: Tomas Cohen Arazi Signed-off-by: Katrin Fischer --- ill/ill-requests.pl | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ill/ill-requests.pl b/ill/ill-requests.pl index 89bf5b16d1..3fac879dd4 100755 --- a/ill/ill-requests.pl +++ b/ill/ill-requests.pl @@ -216,6 +216,7 @@ if ( $backends_available ) { handle_commit_maybe($backend_result, $request); } elsif ( $op eq 'cud-edit_action' ) { + $op =~ s/^cud-//; # Handle edits to the Illrequest object. # (not the Illrequestattributes) # We simulate the API for backend requests for uniformity. @@ -225,7 +226,6 @@ if ( $backends_available ) { order_by => { -asc => 'name' } }); if ( !$params->{stage} ) { - $op =~ s/^cud-//; my $backend_result = { error => 0, status => '', -- 2.39.5