[Bug 38065] New: Auto control number (001) widget in advanced editor does not work under CSRF protection
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=38065 Bug ID: 38065 Summary: Auto control number (001) widget in advanced editor does not work under CSRF protection Change sponsored?: --- Product: Koha Version: unspecified Hardware: All OS: All Status: NEW Severity: normal Priority: P5 - low Component: Cataloging Assignee: januszop@gmail.com Reporter: januszop@gmail.com QA Contact: testopia@bugs.koha-community.org CC: m.de.rooy@rijksmuseum.nl Depends on: 36192 Auto control number (001) widget in advanced editor does not work under CSRF protection. A token should be passed to POST ... control_num_sequences call. Referenced Bugs: https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=36192 [Bug 36192] [OMNIBUS] CSRF Protection for Koha -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=38065 Janusz Kaczmarek <januszop@gmail.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|NEW |Needs Signoff Patch complexity|--- |Trivial patch -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=38065 --- Comment #1 from Janusz Kaczmarek <januszop@gmail.com> --- Created attachment 172326 --> https://bugs.koha-community.org/bugzilla3/attachment.cgi?id=172326&action=edit Bug 38065: Auto control number (001) widget in advanced editor does not work under CSRF protection Auto control number (001) widget in advanced editor does not work under CSRF protection. A token should be passed to POST ... control_num_sequences call. Test plan: ========== 1. Verify that the CONTROL_NUM_SEQUENCE category in authorized values is present. 3. Add a new authorized value for CONTROL_NUM_SEQUENCE: b) authorised value: sprLib0001 c) in Description - a short string indicating the type of control number i.e. "Springfield Library" 4. Create a new bib record using the advanced editor, insert a 001 field, note that the 001 widget is there. Click on "Assign next". There should be no effect (and you could see [HTTP/1.1 403 Forbidden 706ms] in the browser console). 5. Apply the patch ; restart_all ; reload the browser. 6. Repeat p. 4. You should get the content of the 001 field generated by the widget. -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=38065 Janusz Kaczmarek <januszop@gmail.com> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |pmis@mnw.art.pl -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=38065 Roman Dolny <roman.dolny@jezuici.pl> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|Needs Signoff |Signed Off -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=38065 Roman Dolny <roman.dolny@jezuici.pl> changed: What |Removed |Added ---------------------------------------------------------------------------- Attachment #172326|0 |1 is obsolete| | --- Comment #2 from Roman Dolny <roman.dolny@jezuici.pl> --- Created attachment 172333 --> https://bugs.koha-community.org/bugzilla3/attachment.cgi?id=172333&action=edit Bug 38065: Auto control number (001) widget in advanced editor does not work under CSRF protection Auto control number (001) widget in advanced editor does not work under CSRF protection. A token should be passed to POST ... control_num_sequences call. Test plan: ========== 1. Verify that the CONTROL_NUM_SEQUENCE category in authorized values is present. 3. Add a new authorized value for CONTROL_NUM_SEQUENCE: b) authorised value: sprLib0001 c) in Description - a short string indicating the type of control number i.e. "Springfield Library" 4. Create a new bib record using the advanced editor, insert a 001 field, note that the 001 widget is there. Click on "Assign next". There should be no effect (and you could see [HTTP/1.1 403 Forbidden 706ms] in the browser console). 5. Apply the patch ; restart_all ; reload the browser. 6. Repeat p. 4. You should get the content of the 001 field generated by the widget. Signed-off-by: Roman Dolny <roman.dolny@jezuici.pl> -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=38065 David Cook <dcook@prosentient.com.au> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|Signed Off |Failed QA CC| |dcook@prosentient.com.au --- Comment #3 from David Cook <dcook@prosentient.com.au> --- Same problem as 38030 The csrf token needs to be in the POST body or in a HTTP header. -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=38065 --- Comment #4 from Katrin Fischer <katrin.fischer@bsz-bw.de> --- (In reply to David Cook from comment #3)
Same problem as 38030
The csrf token needs to be in the POST body or in a HTTP header.
It looks like we should maybe open an Omnibus and check all value builders for this issue? -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=38065 Katrin Fischer <katrin.fischer@bsz-bw.de> changed: What |Removed |Added ---------------------------------------------------------------------------- See Also| |https://bugs.koha-community | |.org/bugzilla3/show_bug.cgi | |?id=38030 -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=38065 --- Comment #5 from Marcel de Rooy <m.de.rooy@rijksmuseum.nl> --- (In reply to Katrin Fischer from comment #4)
(In reply to David Cook from comment #3)
Same problem as 38030
The csrf token needs to be in the POST body or in a HTTP header.
It looks like we should maybe open an Omnibus and check all value builders for this issue?
That seems to be unneeded? This is about a POST that might be possible to convert to a GET ? -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=38065 --- Comment #6 from Janusz Kaczmarek <januszop@gmail.com> --- The plugin modifies the content of the database (it updates a row in the authorised_values table), so as for a CUD operation POST is right? -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=38065 David Cook <dcook@prosentient.com.au> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|Failed QA |Passed QA -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=38065 David Cook <dcook@prosentient.com.au> changed: What |Removed |Added ---------------------------------------------------------------------------- Attachment #172333|0 |1 is obsolete| | --- Comment #7 from David Cook <dcook@prosentient.com.au> --- Created attachment 173084 --> https://bugs.koha-community.org/bugzilla3/attachment.cgi?id=173084&action=edit Bug 38065: Auto control number (001) widget in advanced editor does not work under CSRF protection Auto control number (001) widget in advanced editor does not work under CSRF protection. A token should be passed to POST ... control_num_sequences call. Test plan: ========== 1. Verify that the CONTROL_NUM_SEQUENCE category in authorized values is present. 3. Add a new authorized value for CONTROL_NUM_SEQUENCE: b) authorised value: sprLib0001 c) in Description - a short string indicating the type of control number i.e. "Springfield Library" 4. Create a new bib record using the advanced editor, insert a 001 field, note that the 001 widget is there. Click on "Assign next". There should be no effect (and you could see [HTTP/1.1 403 Forbidden 706ms] in the browser console). 5. Apply the patch ; restart_all ; reload the browser. 6. Repeat p. 4. You should get the content of the 001 field generated by the widget. Signed-off-by: Roman Dolny <roman.dolny@jezuici.pl> Signed-off-by: David Cook <dcook@prosentient.com.au> -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=38065 --- Comment #8 from David Cook <dcook@prosentient.com.au> --- Created attachment 173085 --> https://bugs.koha-community.org/bugzilla3/attachment.cgi?id=173085&action=edit Bug 38065: (QA follow-up) Move csrf_token to POST body from URL Signed-off-by: David Cook <dcook@prosentient.com.au> -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=38065 --- Comment #9 from David Cook <dcook@prosentient.com.au> --- Nothing to see here folks >_>. Janusz was right. Only issue was where the csrf_token was located in the HTTP request. (And should've used the meta element instead of the input element.) Passed QA. -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=38065 David Cook <dcook@prosentient.com.au> changed: What |Removed |Added ---------------------------------------------------------------------------- QA Contact|testopia@bugs.koha-communit |dcook@prosentient.com.au |y.org | -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=38065 David Cook <dcook@prosentient.com.au> changed: What |Removed |Added ---------------------------------------------------------------------------- Depends on|36192 | Blocks| |36192 Referenced Bugs: https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=36192 [Bug 36192] [OMNIBUS] CSRF Protection for Koha -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=38065 Katrin Fischer <katrin.fischer@bsz-bw.de> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|Passed QA |Pushed to main Version(s)| |24.11.00 released in| | -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=38065 --- Comment #10 from Katrin Fischer <katrin.fischer@bsz-bw.de> --- Pushed for 24.11! Well done everyone, thank you! -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=38065 Lucas Gass (lukeg) <lucas@bywatersolutions.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|Pushed to main |Pushed to stable CC| |lucas@bywatersolutions.com Version(s)|24.11.00 |24.11.00,24.05.06 released in| | --- Comment #11 from Lucas Gass (lukeg) <lucas@bywatersolutions.com> --- Backported to 24.05.x for upcoming 24.05.06 -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=38065 Lucas Gass (lukeg) <lucas@bywatersolutions.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|Pushed to stable |Pushed to oldstable -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=38065 Fridolin Somers <fridolin.somers@biblibre.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|Pushed to oldstable |Needs documenting CC| |fridolin.somers@biblibre.co | |m --- Comment #12 from Fridolin Somers <fridolin.somers@biblibre.com> --- Not for 23.11.x -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=38065 Caroline Cyr La Rose <caroline.cyr-la-rose@inlibro.com> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |caroline.cyr-la-rose@inlibr | |o.com Resolution|--- |FIXED Status|Needs documenting |RESOLVED --- Comment #13 from Caroline Cyr La Rose <caroline.cyr-la-rose@inlibro.com> --- Big fix, nothing to add/edit in the manual. -- You are receiving this mail because: You are watching all bug changes.
participants (1)
-
bugzilla-daemon@bugs.koha-community.org