https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=37767
Bug ID: 37767
Summary: Fix forms that POST without an op in Authority types
Change sponsored?: ---
Product: Koha
Version: Main
Hardware: All
OS: All
Status: NEW
Severity: normal
Priority: P3
Component: System Administration
Assignee: [email protected]
Reporter: [email protected]
QA Contact: [email protected]
CC: [email protected]
Depends on: 36192
Blocks: 37728
We intend not to have forms with method="post" without an op variable (so we
can check that the op starts with "cud-" as part of the CSRF protection), but
because of bug 37728 some were missed.
In Authority types (the odd name for MARC authority frameworks), that's the
"No, do not delete" cancel button when you decide not to go through with
deleting a tag, which doesn't need to POST since all it does is take you back
to where you were, and the OK button in the page that tells you the tag was
deleted when you decide to go ahead, which currently doesn't even show, but
when it does, it doesn't need to POST because it's just taking you back to
where you were.
Referenced Bugs:
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=36192
[Bug 36192] [OMNIBUS] CSRF Protection for Koha
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=37728
[Bug 37728] More "op" are missing in POSTed forms
--
You are receiving this mail because:
You are the assignee for the bug.
You are watching all bug changes.
_______________________________________________
Koha-bugs mailing list
[email protected]
https://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs
website : http://www.koha-community.org/
git : http://git.koha-community.org/
bugs : http://bugs.koha-community.org/
