From efdebe7c2a59daaba2b3103884e4fe9e1cda704b Mon Sep 17 00:00:00 2001
From: Brendan Lawlor <blawlor@clamsnet.org>
Date: Tue, 23 Jul 2024 12:29:55 +0000
Subject: [PATCH] Bug 37407: Fix automatic checkout for fast cataloging

This patch adds a check for the referrer to the circulation page.
If the referrer is from the same origin's additem.pl then get the
barcode from the url parameters, fill the form and submit.

Test plan:
1. Apply patch
2. Enter a barcode not in the system, eg 99999
3. Click '+ Add record using fast cataloging'
4. Fill required bib fields 000, 008 and 245a and click 'Save'
5. Add required item field y - Koha item type and click 'Add item'
6. Notice the barcode is filled and the form is submitted automatically
7. Confirm the item is checked out and the dutedate specified works
8. Add an html customization somewhere else in koha with a link like
   http://localhost:8081/cgi-bin/koha/circ/circulation.pl?borrowernumber=38&barcode=99999&duedatespec=&stickyduedate=
9. Click on the link to simulate a csrf attack
10. Confirm the checkout page is loaded for that patron but no checkout is made

Signed-off-by: Eric Garcia <cubingguy714@gmail.com>
Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>
Signed-off-by: Martin Renvoize <martin.renvoize@ptfs-europe.com>
(cherry picked from commit 620dbcde87704ebbd095c24dfa78b9b847235869)
Signed-off-by: Lucas Gass <lucas@bywatersolutions.com>
---
 .../intranet-tmpl/prog/en/modules/circ/circulation.tt  | 10 ++++++++++
 1 file changed, 10 insertions(+)

diff --git a/koha-tmpl/intranet-tmpl/prog/en/modules/circ/circulation.tt b/koha-tmpl/intranet-tmpl/prog/en/modules/circ/circulation.tt
index 4a55634e93..ae8ca695e0 100644
--- a/koha-tmpl/intranet-tmpl/prog/en/modules/circ/circulation.tt
+++ b/koha-tmpl/intranet-tmpl/prog/en/modules/circ/circulation.tt
@@ -1135,6 +1135,16 @@
                     }
                 });
             [% END %]
+
+            // Handle checkout for fast cataloging
+            // Check the referrer to prevent csrf, fill and submit form
+            if(document.referrer.split('?')[0] === window.location.origin +'/cgi-bin/koha/cataloguing/additem.pl') {
+                let urlParams = new URLSearchParams(window.location.search);
+                let barcode = urlParams.get('barcode');
+                $('#barcode').val(barcode);
+                $('#mainform').submit();
+            }
+
         });
     </script>
     [% INCLUDE 'str/members-menu.inc' %]
-- 
2.39.5