From a964d98dc85499b1ea0839ee6822cd2c553cadc3 Mon Sep 17 00:00:00 2001 From: Owen Leonard Date: Fri, 28 Jun 2024 13:06:43 +0000 Subject: [PATCH] Bug 37206: Removing an item from a label batch should be a CSRF-protected POST operation This patch updates the label batch edit template so that removing a single or multiple items from a batch is a CSRF-protected POST operation. The patch also removes the existing "if ($op eq 'cud-delete') {" section of label-edit-batch.pl because it was unused. To test, apply the patch and go to Cataloging -> Labels. - Create a label batch and add multiple items to it. - From the list of label batches, click "Edit" on the batch you created. - Click the "Delete" button for one of the items in the batch. - If you confirm, the item should be deleted. - In the "Select" column, check multiple checkboxes. - Click the "Remove selected items" button in the toolbar. - Verify that confirming this operation results in the items being deleted from the batch. Sponsored-by: Athens County Public Libraries Signed-off-by: David Nind Signed-off-by: Matt Blenkinsop Signed-off-by: Katrin Fischer --- .../en/modules/labels/label-edit-batch.tt | 26 +++++++++++++------ labels/label-edit-batch.pl | 6 +---- 2 files changed, 19 insertions(+), 13 deletions(-) diff --git a/koha-tmpl/intranet-tmpl/prog/en/modules/labels/label-edit-batch.tt b/koha-tmpl/intranet-tmpl/prog/en/modules/labels/label-edit-batch.tt index ddf93049e0..15acdb833e 100644 --- a/koha-tmpl/intranet-tmpl/prog/en/modules/labels/label-edit-batch.tt +++ b/koha-tmpl/intranet-tmpl/prog/en/modules/labels/label-edit-batch.tt @@ -166,8 +166,9 @@ [% FOREACH text_field IN table_loo.text_fields %] [% IF ( text_field.select_field ) %] - - Delete + + Delete + Export @@ -205,6 +206,11 @@ +
+ [% INCLUDE 'csrf-token.inc' %] + + +
[% MACRO jsinclude BLOCK %] [% INCLUDE 'greybox.inc' %] [% INCLUDE 'datatables.inc' %] @@ -222,17 +228,18 @@ return true; // ok } } + function Remove() { + const batch_remove_form = $("#batch_remove_form"); items = new Array; item_num = new Array; if(document.items.action.length > 0) { for (var i=0; i < document.items.action.length; i++) { if (document.items.action[i].checked) { - items.push("label_id=" + document.items.action[i].value); - item_num.push(i+1); + items.push( document.items.action[i].value ); + item_num.push( i + 1 ); } } - getstr = items.join("&"); item_msg = item_num.join(", "); var msg = _("Are you sure you want to remove label number(s): %s from this batch?").format(item_msg); } else if (document.items.action.checked) { @@ -242,13 +249,16 @@ alert(_("Please select at least one label to delete.")); return; // no item selected } - var answer = confirm(msg); - if (answer) { - window.location = "/cgi-bin/koha/labels/label-edit-batch.pl?op=remove&batch_id=[% batch_id | html %]&" + getstr; + if ( confirm( msg ) ) { + items.forEach(( label_id ) => { + batch_remove_form.append(''); + }); + batch_remove_form.submit(); } else { return; // abort delete } } + function Add() { var number_list = document.getElementById("number_list"); if (number_list.value == '') { diff --git a/labels/label-edit-batch.pl b/labels/label-edit-batch.pl index 23bd9e77d4..1a8759b49b 100755 --- a/labels/label-edit-batch.pl +++ b/labels/label-edit-batch.pl @@ -67,7 +67,7 @@ $number_list = $cgi->param('number_list') if $cgi->param('number_list'); my $branch_code = C4::Context->userenv->{'branch'}; -if ($op eq 'remove') { +if ($op eq 'cud-delete') { $batch = C4::Labels::Batch->retrieve(batch_id => $batch_id); foreach my $label_id (@label_ids) { $err = $batch->remove_item($label_id); @@ -77,10 +77,6 @@ if ($op eq 'remove') { # print $cgi->redirect("label-edit-batch.pl?op=edit&batch_id=$batch_id"); # exit; } -elsif ($op eq 'cud-delete') { - $err = C4::Labels::Batch::delete(batch_id => $batch_id, branch_code => $branch_code); - $errtype = 'BATCH_NOT_DELETED' if $err; -} elsif ($op eq 'cud-add') { if ($number_list) { my @numbers_list = split /\n/, $number_list; # Entries are effectively passed in as a separated list -- 2.39.5