From 801fa43c7cecd8e310f77a51e03ebeec3677015e Mon Sep 17 00:00:00 2001 From: Phil Ringnalda Date: Wed, 18 Sep 2024 21:01:56 -0700 Subject: [PATCH] Bug 37961: Inventory problem resolution fails by POSTing without an op or csrf_token After you upload a file or textarea of barcodes to inventory, the next step is a list of the things that were missing, with checkboxes to check when you find them, and buttons to Mark seen, which send a POST to /cgi-bin/koha/tools/ajax-inventory.pl without an op param (since it doesn't have an $op) and without a csrf_token, so the POST fails with a 403. Test plan: 1. Without the patch, Cataloging - Inventory - in Item location filters set Library to Centerville, Shelving location to Audio visual, Collection code to Reference, and in Optional filters for inventory list or comparing barcodes set Last inventory date to today. 2. Click Submit, and you'll have a table of 23 items. Check the checkbox for the first item, click Mark seen and continue 3. What was supposed to happen was that you would be taken to the next page, but instead you are still in the same page, and if you had the browser console open, you would have seen that you sent a POST to ajax-inventory.pl, and got a 403 error in response 4. Apply patch, restart_all 5. Repeat step 1 and 2, this time getting to the second page. Check the checkboxes for the last two items, and click Mark seen and quit 6. Repeat step 1 and click Submit. You should now have only 20 items, since the three you checked now have a Last inventory date of today. Yeah, when you did Mark seen and continue they ought to have been removed from the list, I agree. I had to go back to 23.11.x and make sure that was really how it was supposed to function, but that is the existing behavior. Even though they get marked as seen, nothing changes about your list until you quit and go back to it. Maybe because then something that wasn't on the current page would have moved there. Another bug. Sponsored-by: Chetco Community Public Library Signed-off-by: Sonia Bouis Signed-off-by: Kyle M Hall Signed-off-by: Martin Renvoize --- .../prog/en/modules/tools/inventory.tt | 4 ++-- tools/ajax-inventory.pl | 13 ++++++++----- 2 files changed, 10 insertions(+), 7 deletions(-) diff --git a/koha-tmpl/intranet-tmpl/prog/en/modules/tools/inventory.tt b/koha-tmpl/intranet-tmpl/prog/en/modules/tools/inventory.tt index 554d7241d6..23c1a6c660 100644 --- a/koha-tmpl/intranet-tmpl/prog/en/modules/tools/inventory.tt +++ b/koha-tmpl/intranet-tmpl/prog/en/modules/tools/inventory.tt @@ -490,7 +490,7 @@ $("input:checked").each(function() { param += "|" + $(this).attr('name'); }); - $.post('/cgi-bin/koha/tools/ajax-inventory.pl', { seen: param }); + $.post('/cgi-bin/koha/tools/ajax-inventory.pl', { seen: param, op: 'cud-seen', csrf_token: $('meta[name="csrf-token"]').attr("content") }); inventorydt.fnPageChange( 'next' ); return false; }); @@ -503,7 +503,7 @@ $.ajax({ type: 'POST', url: '/cgi-bin/koha/tools/ajax-inventory.pl', - data: { seen: param}, + data: { seen: param, op: 'cud-seen', csrf_token: $('meta[name="csrf-token"]').attr("content") }, async: false }); document.location.href = '/cgi-bin/koha/tools/inventory.pl'; diff --git a/tools/ajax-inventory.pl b/tools/ajax-inventory.pl index a8c8c9d06d..7d35497a76 100755 --- a/tools/ajax-inventory.pl +++ b/tools/ajax-inventory.pl @@ -11,13 +11,16 @@ my $input = CGI->new; my ($status, $cookie, $sessionId) = C4::Auth::check_api_auth($input, { tools => 'inventory' }); exit unless ($status eq "ok"); +my $op = $input->param('op') // q{}; -my $seen = $input->param('seen'); -my @seent = split(/\|/, $seen); +if ( $op eq 'cud-seen' ) { + my $seen = $input->param('seen'); + my @seent = split( /\|/, $seen ); -# mark seen if applicable (ie: coming form mark seen checkboxes) -foreach ( @seent ) { - /SEEN-(.+)/ and &ModDateLastSeen($1); + # mark seen if applicable (ie: coming form mark seen checkboxes) + foreach (@seent) { + /SEEN-(.+)/ and &ModDateLastSeen($1); + } } print $input->header('application/json'); -- 2.39.5