https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=37614
Bug ID: 37614
Summary: Printing patron cards from patron lists broken by CSRF
protection
Change sponsored?: ---
Product: Koha
Version: Main
Hardware: All
OS: All
Status: NEW
Severity: major
Priority: P5 - low
Component: Tools
Assignee: [email protected]
Reporter: [email protected]
QA Contact: [email protected]
CC: [email protected], [email protected]
Blocks: 36192
Steps to reproduce:
1. Tools - Patrons lists, if you don't already have one then New list, name and
save, Search for patrons, add at least one patron, then return to Patron lists.
2. In the Actions menu for your patron list, select Print patron cards
3. In that perfectly normal looking popup, click Export. You now have a popup
with an Loading throbber, which will hang forever, and in your console you have
a 403 error from trying to GET patroncards/print.pl. If you go back and inspect
the page where you clicked Export, you'll find that it is a button
type='submit' in a form with method='post' which makes the GET seem a bit odd.
To see that it sometimes posts,
1. Tools - Patron card creator - New card batch - Add at least one patron
2. Export card batch
3. You get a popup with a lovely Windows 95 aesthetic courtesy of greybox.inc,
but it is that same form method='post' with the same type='submit' Export
button. Click Export and you will POST to patroncards/print.pl and things will
work just fine.
Not at all clear to me how opening the popup one way turns the POST to a GET,
but it does.
There's a FIXME in patroncards/print.pl saying that the op=cud-export looks
sus, which it does. You could try to make the case that it's sensible to POST
because in the case where you have selected some but not all of the patrons in
a label batch, the number of label_id params in the URL could be so high that
it exceeds Apache's max URL length, but then the result of the POST is a link
to create the PDF that is the actual "print" export, and that link is a GET
which contains all of them with an over-escaped &label_id= param for each
one. So a pragmatic fix would be to just change from a POST to a GET, change
cud-export to export, and not worry about why called one way it POSTs and
called another way it GETs.
Referenced Bugs:
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=36192
[Bug 36192] [OMNIBUS] CSRF Protection for Koha
--
You are receiving this mail because:
You are the assignee for the bug.
You are watching all bug changes.
_______________________________________________
Koha-bugs mailing list
[email protected]
https://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs
website : http://www.koha-community.org/
git : http://git.koha-community.org/
bugs : http://bugs.koha-community.org/
