https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=38275 David Cook <dcook@prosentient.com.au> changed: What |Removed |Added ---------------------------------------------------------------------------- Assignee|Laura.escamilla@bywatersolu |dcook@prosentient.com.au |tions.com | --- Comment #8 from David Cook <dcook@prosentient.com.au> --- (In reply to Phil Ringnalda from comment #5)
That's one messed-up CSRF-protection avoiding page: it has a form, with method="post" and op="cud-delete" just like anything doing a delete should, but then the submit button doesn't submit the form, it just concatenates the selected_images together and sticks them on a GET of ?op=delete.
Apologies for taking this one over. As Phil notes, this stateful (CUD) operation needs to be done with a POST. I used Phil's idea of leveraging the existing POST form. -- You are receiving this mail because: You are watching all bug changes.