[Bug 41197] New: opac/opac-account-pay-return.pl should not require CSRF
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=41197 Bug ID: 41197 Summary: opac/opac-account-pay-return.pl should not require CSRF Initiative type: --- Sponsorship --- status: Product: Koha Version: Main Hardware: All OS: All Status: NEW Severity: normal Priority: P5 - low Component: OPAC Assignee: oleonard@myacpl.org Reporter: nick@bywatersolutions.com QA Contact: testopia@bugs.koha-community.org This page is intended for redirect/return from external payment vendors - they are not going to have/get a CSRF token from Koha for this. The payments are handled in a POST to the API, so this should not be a sensitive page, it just provides user confirmation. Some vendors use only a POST, we should not require CSRF on this page. -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=41197 David Cook <dcook@prosentient.com.au> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |dcook@prosentient.com.au --- Comment #1 from David Cook <dcook@prosentient.com.au> --- Can you run us through how this should work? I see a reference to opac-account-pay-return.pl in "opac_online_payment_begin.tt" in dev-koha-plugin-kitchen-sink, but it looks like it is an update so it should have a CSRF token (although it's missing in the plugin version I'm looking at). -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=41197 --- Comment #2 from Nick Clemens (kidclamp) <nick@bywatersolutions.com> --- (In reply to David Cook from comment #1)
Can you run us through how this should work?
I see a reference to opac-account-pay-return.pl in "opac_online_payment_begin.tt" in dev-koha-plugin-kitchen-sink, but it looks like it is an update so it should have a CSRF token (although it's missing in the plugin version I'm looking at).
So the general process is: 1 -opac payment begin - We select the charges to pay - the user/charges are then sent to the vendor site for processing payment 2 -the vendor should then POST to the API to make the actual payment and verify things on their end 3 - opac payment end - the payment vendor redirects the patron back to the Koha catalog, they may send some information about the payment, but the actual changes have been handled in step 2, step 3 is just reporting -- You are receiving this mail because: You are watching all bug changes.
participants (1)
-
bugzilla-daemon@bugs.koha-community.org