https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=37853 Bug ID: 37853 Summary: Returning to your account at the end of changing your password in the OPAC doesn't need to POST a form Change sponsored?: --- Product: Koha Version: Main Hardware: All OS: All Status: NEW Severity: normal Priority: P3 Component: OPAC Assignee: phil@chetcolibrary.org Reporter: phil@chetcolibrary.org QA Contact: testopia@bugs.koha-community.org Depends on: 36192 Blocks: 37728 The end of the UI flow of changing your password in the OPAC is a page which tells you your password was changed (good, you need to know it's time to log out and back in to change your saved password, or that it's time to scribble out the old one on a Post-it and write down the new one), and then offers to take you back to your account with a button in a form which does a POST to opac-user.pl without an op and with your borrowernumber, which is double-bad. We intend not to allow POST without an op, and once the test is fixed in bug 37728 this will fail, and there's no need for the borrowernumber since it will be completely ignored by the script, which will instead get it from your cookie or make you log in. Instead of a form+button+POST, it should just be a link. Referenced Bugs: https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=36192 [Bug 36192] [OMNIBUS] CSRF Protection for Koha https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=37728 [Bug 37728] More "op" are missing in POSTed forms -- You are receiving this mail because: You are watching all bug changes.