From cc52a6aa7e7c0cb7dfdd1e7ccdabd588c79dca00 Mon Sep 17 00:00:00 2001
From: Pedro Amorim <pedro.amorim@ptfs-europe.com>
Date: Mon, 25 Mar 2024 10:26:10 +0000
Subject: [PATCH] Bug 36414: OPAC - Skip csrf_token

Skip csrf_token field if it already exists and
is coming from a previous workflow stage form
submission, as it's already included at the
start of the form.

The test plan requires EDS credentials in order to be followed.
I'm available to help others through this test plan if required.
Otherwise, I believe the code is simple enough to understand
and follow what it's fixing without testing.

Test plan:
1) Install an ILL availabililty plugin, e.g.:
https://github.com/PTFS-Europe/koha-plugin-ill-avail-eds
3) Configure the plugin and add EDS credentials
4) Enable ILLCheckAvailability sys pref
5) Enable ILLModuleDisclaimerByType by copying the example YAML block in the sys pref description
6) Create a new ILL request of type 'Book' and add a DOI
7) You should now be on the availabililty stage, click 'Continue adding your request'
8) You should now be on the type disclaimer stage, click 'Create'
9) Notice 'Wrong CSRF token' error.
This happens because the type disclaimer stage is adding its own CSRF token in addition
to the CSRF token coming from the previous availabililty stage
10) Apply patch. Repeat. No error -> Request is created as expected.
11) Do the same test plan on both Staff UI and OPAC

Signed-off-by: Nick Clemens <nick@bywatersolutions.com>
Signed-off-by: Katrin Fischer <katrin.fischer@bsz-bw.de>
---
 koha-tmpl/opac-tmpl/bootstrap/en/modules/opac-illrequests.tt | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/koha-tmpl/opac-tmpl/bootstrap/en/modules/opac-illrequests.tt b/koha-tmpl/opac-tmpl/bootstrap/en/modules/opac-illrequests.tt
index 8adb5229df..975c2a078e 100644
--- a/koha-tmpl/opac-tmpl/bootstrap/en/modules/opac-illrequests.tt
+++ b/koha-tmpl/opac-tmpl/bootstrap/en/modules/opac-illrequests.tt
@@ -262,7 +262,7 @@
                                     <legend><h2>Displaying availability results</h2></legend>
                                     [% FOREACH key IN whole.keys %]
                                         [% value = whole.$key %]
-                                        [% IF key != 'custom_key' && key != 'custom_value' %]
+                                        [% IF key != 'custom_key' && key != 'custom_value' && key != 'csrf_token' %]
                                         <input type="hidden" name="[% key | html %]" value="[% value | html %]">
                                         [% END %]
                                     [% END %]
@@ -307,7 +307,7 @@
                                     <fieldset class="action">
                                         [% FOREACH key IN whole.keys %]
                                             [% value = whole.$key %]
-                                            [% IF key != 'custom_key' && key != 'custom_value' %]
+                                            [% IF key != 'custom_key' && key != 'custom_value' && key != 'csrf_token' %]
                                             <input type="hidden" name="[% key | html %]" value="[% value | html %]">
                                             [% END %]
                                         [% END %]
-- 
2.39.5