From 0cbc99a3739d6a90fa4c17bde9a47d99ec6d8a0a Mon Sep 17 00:00:00 2001 From: Nick Clemens Date: Mon, 18 Mar 2024 17:28:56 +0000 Subject: [PATCH] Bug 36351: Add CSRF tokens to advanced cataloguing editor POST requests The editor uses ajax post requests to SVC api. Becuase these apis are XML based requests, they must be handled in the simplest way, by embedding the token as a header To test: 1 - Browse to Cataloguing->Advanced editor 2 - Fill out needed values and save 3 - 403 error 4 - Apply patch 5 - Reload and try agian, success! 6 - Edit and save again, success! Signed-off-by: Nick Clemens Signed-off-by: Jonathan Druart Signed-off-by: Katrin Fischer --- .../lib/koha/cateditor/koha-backend.js | 25 +++++++++--------- .../intranet-tmpl/prog/js/fetch/api-client.js | 2 ++ .../prog/js/fetch/cataloguing-api-client.js | 26 +++++++++++++++++++ 3 files changed, 40 insertions(+), 13 deletions(-) create mode 100644 koha-tmpl/intranet-tmpl/prog/js/fetch/cataloguing-api-client.js diff --git a/koha-tmpl/intranet-tmpl/lib/koha/cateditor/koha-backend.js b/koha-tmpl/intranet-tmpl/lib/koha/cateditor/koha-backend.js index 5410f77563..2fded33d03 100644 --- a/koha-tmpl/intranet-tmpl/lib/koha/cateditor/koha-backend.js +++ b/koha-tmpl/intranet-tmpl/lib/koha/cateditor/koha-backend.js @@ -136,20 +136,19 @@ define( [ '/cgi-bin/koha/svc/cataloguing/framework?frameworkcode=&callback=defin record = record.clone(); _removeBiblionumberFields( record ); - $.ajax( { - type: 'POST', - url: '/cgi-bin/koha/svc/new_bib?frameworkcode=' + encodeURIComponent(frameworkcode), - data: record.toXML(), - contentType: 'text/xml' - } ).done( function( data ) { - var record = _fromXMLStruct( data ); - if ( record.marcxml ) { - record.marcxml[0].frameworkcode = frameworkcode; + const client = APIClient.cataloguing; + client.catalog_bib.create({ frameworkcode, record }).then( + success => { + var record = _fromXMLStruct( data ); + if ( record.marcxml ) { + record.marcxml[0].frameworkcode = frameworkcode; + } + callback( record ); + }, + error => { + callback( { error: _('Could not save record') } ); } - callback( record ); - } ).fail( function( data ) { - callback( { error: _('Could not save record') } ); - } ); + ); }, SaveRecord: function( id, record, callback ) { diff --git a/koha-tmpl/intranet-tmpl/prog/js/fetch/api-client.js b/koha-tmpl/intranet-tmpl/prog/js/fetch/api-client.js index 87b240ac5c..760e0d4ea8 100644 --- a/koha-tmpl/intranet-tmpl/prog/js/fetch/api-client.js +++ b/koha-tmpl/intranet-tmpl/prog/js/fetch/api-client.js @@ -1,5 +1,6 @@ import ArticleRequestAPIClient from "./article-request-api-client.js"; import AVAPIClient from "./authorised-value-api-client.js"; +import CataloguingAPIClient from "./cataloguing-api-client.js"; import CirculationAPIClient from "./circulation-api-client.js"; import ClubAPIClient from "./club-api-client.js"; import CoverImageAPIClient from "./cover-image-api-client.js"; @@ -12,6 +13,7 @@ import TicketAPIClient from "./ticket-api-client.js"; export const APIClient = { article_request: new ArticleRequestAPIClient(), authorised_value: new AVAPIClient(), + cataloguing: new CataloguingAPIClient(), circulation: new CirculationAPIClient(), club: new ClubAPIClient(), cover_image: new CoverImageAPIClient(), diff --git a/koha-tmpl/intranet-tmpl/prog/js/fetch/cataloguing-api-client.js b/koha-tmpl/intranet-tmpl/prog/js/fetch/cataloguing-api-client.js new file mode 100644 index 0000000000..435be5b834 --- /dev/null +++ b/koha-tmpl/intranet-tmpl/prog/js/fetch/cataloguing-api-client.js @@ -0,0 +1,26 @@ +import HttpClient from "./http-client.js"; + +export class CataloguingAPIClient extends HttpClient { + constructor() { + super({ + baseURL: "/cgi-bin/koha/svc/", + }); + } + + get catalog_bib() { + return { + create: bib_info => + this.post({ + endpoint: "new_bib/frameworkcode=%s".format( bib_info.frameworkcode ), + body: bib_info.record.toXML(), + headers: { + "Content-Type": + "text/xml", + }, + }), + }; + } + +} + +export default CataloguingAPIClient; -- 2.39.5