From 4e1372b77ce836bc108a2dfdfa8d3673eb732b30 Mon Sep 17 00:00:00 2001 From: Jonathan Druart Date: Fri, 22 Sep 2023 10:55:29 +0200 Subject: [PATCH] Bug 34478: op =~ ^cud- Signed-off-by: Jonathan Druart --- C4/Auth.pm | 6 ++++-- admin/branches.pl | 4 ++-- debian/templates/plack.psgi | 18 ++++++++---------- .../prog/en/includes/csrf-token.inc | 4 ++-- .../prog/en/modules/admin/branches.tt | 6 +++--- 5 files changed, 19 insertions(+), 19 deletions(-) diff --git a/C4/Auth.pm b/C4/Auth.pm index 23c3562d26..51eef1e1be 100644 --- a/C4/Auth.pm +++ b/C4/Auth.pm @@ -634,7 +634,8 @@ sub get_template_and_user { $template->param( logged_in_user => $patron ); $template->param( sessionID => $sessionID ); - if ( $in->{query}->param('op-cud') ) { + my $op = $in->{query}->param('op'); + if ( defined $op && $op =~ m{^cud-} ) { C4::Output::output_and_exit( $in->{query}, $cookie, $template, 'wrong_csrf_token' ) unless Koha::Token->new->check_csrf( { @@ -1342,7 +1343,8 @@ sub checkauth { my $patron = $userid ? Koha::Patrons->find({ userid => $userid }) : undef; $patron->update_lastseen('login') if $patron; - if ( $query->param('op-cud') ) { + my $op = $query->param('op'); + if ( defined $op && $op =~ m{^cud-} ) { die "Cannot use GET for this request" if $request_method eq 'GET'; diff --git a/admin/branches.pl b/admin/branches.pl index 50e909dfa0..7a6429b08f 100755 --- a/admin/branches.pl +++ b/admin/branches.pl @@ -58,7 +58,7 @@ if ( $op eq 'add_form' ) { $template->param( library => $library, ); -} elsif ( $op eq 'add_validate' ) { +} elsif ( $op eq 'cud-add_validate' ) { my @fields = qw( branchname branchaddress1 @@ -191,7 +191,7 @@ if ( $op eq 'add_form' ) { patrons_count => $patrons_count, ); } -} elsif ( $op eq 'delete_confirmed' ) { +} elsif ( $op eq 'cud-delete_confirmed' ) { my $library = Koha::Libraries->find($branchcode); my $deleted = eval { $library->delete; }; diff --git a/debian/templates/plack.psgi b/debian/templates/plack.psgi index 577118148c..eadb17204f 100644 --- a/debian/templates/plack.psgi +++ b/debian/templates/plack.psgi @@ -48,16 +48,14 @@ use CGI qw(-utf8 ); # we will loose -utf8 under plack, otherwise Koha::Caches->flush_L1_caches(); Koha::Cache::Memory::Lite->flush(); - $original_op_cud = $q->param('op-cud'); - $request_method = $q->request_method // q{}; - if ( $request_method eq 'GET' && defined $original_op_cud ) { - warn "Programming error - op-cud must not be passed with GET"; - $q->param( 'op-cud', undef ); - } elsif ( $request_method ne 'GET' && defined $q->param('op') ) { - warn "Programming error - op can only be passed with GET"; - $q->param( 'op', undef ); - } else { - $q->param( 'op', $original_op_cud ); + my $original_op = $q->param('op'); + my $request_method = $q->request_method // q{}; + if ( $request_method eq 'GET' && defined $original_op && $original_op =~ m{^cud-} ) { + warn "Programming error - op '$original_op' must not start with 'cud-' with GET"; + $q->param( 'op', '' ); + } elsif ( $request_method ne 'GET' && defined $q->param('op') && $original_op !~ m{^cud-} ) { + warn "Programming error - op '$original_op' must start with 'cud-' for $request_method"; + $q->param( 'op', '' ); } return $q; diff --git a/koha-tmpl/intranet-tmpl/prog/en/includes/csrf-token.inc b/koha-tmpl/intranet-tmpl/prog/en/includes/csrf-token.inc index bfc221faf4..2ec6a07fac 100644 --- a/koha-tmpl/intranet-tmpl/prog/en/includes/csrf-token.inc +++ b/koha-tmpl/intranet-tmpl/prog/en/includes/csrf-token.inc @@ -1,3 +1,3 @@ -[%- USE Koha %] -[%- USE raw %] +[%- USE Koha -%] +[%- USE raw -%] diff --git a/koha-tmpl/intranet-tmpl/prog/en/modules/admin/branches.tt b/koha-tmpl/intranet-tmpl/prog/en/modules/admin/branches.tt index b288e84baa..39ed9c639d 100644 --- a/koha-tmpl/intranet-tmpl/prog/en/modules/admin/branches.tt +++ b/koha-tmpl/intranet-tmpl/prog/en/modules/admin/branches.tt @@ -129,7 +129,7 @@
[% INCLUDE 'csrf-token.inc' %]
- + [% IF library %] [% END %] @@ -321,7 +321,7 @@ [% INCLUDE 'csrf-token.inc' %]

Are you sure you want to delete [% library.branchname | html %] ([% library.branchcode | html %])?

- + @@ -645,7 +645,7 @@ "data": function( row, type, val, meta ) { var result = ' '+_("Edit")+''; - result += ''; + result += ''; result += ''+"\n"; result += ''; result += ''; -- 2.39.2