[Bug 36351] New: CSRF Adjustments for Cataloguing editor
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=36351 Bug ID: 36351 Summary: CSRF Adjustments for Cataloguing editor Change sponsored?: --- Product: Koha Version: master Hardware: All OS: All Status: NEW Severity: major Priority: P5 - low Component: Cataloging Assignee: koha-bugs@lists.koha-community.org Reporter: nick@bywatersolutions.com QA Contact: testopia@bugs.koha-community.org CC: m.de.rooy@rijksmuseum.nl koha-backend.js uses a lot of post requests to the svc api, we need to cover these. This si complicated by the fact that these apis return xml and not json as we usually do -- You are receiving this mail because: You are the assignee for the bug. You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=36351 --- Comment #1 from Nick Clemens <nick@bywatersolutions.com> --- Created attachment 163362 --> https://bugs.koha-community.org/bugzilla3/attachment.cgi?id=163362&action=edit Bug 36351: [failed] Use APIClient for posting -- You are receiving this mail because: You are the assignee for the bug. You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=36351 Nick Clemens <nick@bywatersolutions.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|NEW |Needs Signoff -- You are receiving this mail because: You are the assignee for the bug. You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=36351 --- Comment #2 from Nick Clemens <nick@bywatersolutions.com> --- Created attachment 163364 --> https://bugs.koha-community.org/bugzilla3/attachment.cgi?id=163364&action=edit Bug 36351: Add CSRF tokens to advanced cataloguing editor POST requests The editor uses ajax post requests to SVC api. Becuase these apis are XML based requests, they must be handled in the simplest way, by embedding the token as a header To test: 1 - Browse to Cataloguing->Advanced editor 2 - Fill out needed values and save 3 - 403 error 4 - Apply patch 5 - Reload and try agian, success! 6 - Edit and save again, success! -- You are receiving this mail because: You are watching all bug changes. You are the assignee for the bug.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=36351 Nick Clemens <nick@bywatersolutions.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Attachment #163362|0 |1 is obsolete| | -- You are receiving this mail because: You are the assignee for the bug. You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=36351 Nick Clemens <nick@bywatersolutions.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Depends on| |34487 -- You are receiving this mail because: You are watching all bug changes. You are the assignee for the bug.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=36351 Jonathan Druart <jonathan.druart@gmail.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Attachment #163364|0 |1 is obsolete| | --- Comment #3 from Jonathan Druart <jonathan.druart@gmail.com> --- Created attachment 163387 --> https://bugs.koha-community.org/bugzilla3/attachment.cgi?id=163387&action=edit Bug 36351: Add CSRF tokens to advanced cataloguing editor POST requests The editor uses ajax post requests to SVC api. Becuase these apis are XML based requests, they must be handled in the simplest way, by embedding the token as a header To test: 1 - Browse to Cataloguing->Advanced editor 2 - Fill out needed values and save 3 - 403 error 4 - Apply patch 5 - Reload and try agian, success! 6 - Edit and save again, success! -- You are receiving this mail because: You are the assignee for the bug. You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=36351 --- Comment #4 from Jonathan Druart <jonathan.druart@gmail.com> --- Created attachment 163388 --> https://bugs.koha-community.org/bugzilla3/attachment.cgi?id=163388&action=edit Bug 36351: Fix http-client when response is not JSON -- You are receiving this mail because: You are the assignee for the bug. You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=36351 Jonathan Druart <jonathan.druart@gmail.com> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |jonathan.druart@gmail.com --- Comment #5 from Jonathan Druart <jonathan.druart@gmail.com> --- Fixed your first patch. Seems to work as expected. -- You are receiving this mail because: You are watching all bug changes. You are the assignee for the bug.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=36351 Jonathan Druart <jonathan.druart@gmail.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Assignee|koha-bugs@lists.koha-commun |nick@bywatersolutions.com |ity.org | -- You are receiving this mail because: You are the assignee for the bug. You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=36351 Nick Clemens <nick@bywatersolutions.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|Needs Signoff |Signed Off -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=36351 Nick Clemens <nick@bywatersolutions.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Attachment #163387|0 |1 is obsolete| | --- Comment #6 from Nick Clemens <nick@bywatersolutions.com> --- Created attachment 163457 --> https://bugs.koha-community.org/bugzilla3/attachment.cgi?id=163457&action=edit Bug 36351: Add CSRF tokens to advanced cataloguing editor POST requests The editor uses ajax post requests to SVC api. Becuase these apis are XML based requests, they must be handled in the simplest way, by embedding the token as a header To test: 1 - Browse to Cataloguing->Advanced editor 2 - Fill out needed values and save 3 - 403 error 4 - Apply patch 5 - Reload and try agian, success! 6 - Edit and save again, success! Signed-off-by: Nick Clemens <nick@bywatersolutions.com> -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=36351 Nick Clemens <nick@bywatersolutions.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Attachment #163388|0 |1 is obsolete| | --- Comment #7 from Nick Clemens <nick@bywatersolutions.com> --- Created attachment 163458 --> https://bugs.koha-community.org/bugzilla3/attachment.cgi?id=163458&action=edit Bug 36351: Fix http-client when response is not JSON Signed-off-by: Nick Clemens <nick@bywatersolutions.com> -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=36351 --- Comment #8 from Nick Clemens <nick@bywatersolutions.com> --- Created attachment 163459 --> https://bugs.koha-community.org/bugzilla3/attachment.cgi?id=163459&action=edit Bug 36351: Adjust saveRecord and _fromXMLStruct Using the new API Client means we need to handle some calls differently. the http-client is returning only the response, not the text, so we need to handle getting this out with a new async function (or promises, but this works) We also need to adjust _fromXMLStruct as we have reduced the levels in the response by the time it is called This now adds a new 'update' function to the cataloguing client as well. Eventually, this should all be using the REST API, but I think for now handling the non-standard responses gets it working again To test: To test: 1 - Browse to Cataloguing->Advanced editor 2 - New Record 3 - Enter values and save - confirm it works 4 - Confirm url now ends in : editor.pl#catalog/{biblionumber} and not editor.pl#new 5 - Save the record again, confirm biblio is updated and not saved as new Signed-off-by: Nick Clemens <nick@bywatersolutions.com> -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=36351 Nick Clemens <nick@bywatersolutions.com> changed: What |Removed |Added ---------------------------------------------------------------------------- QA Contact|testopia@bugs.koha-communit |jonathan.druart@gmail.com |y.org | -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=36351 Jonathan Druart <jonathan.druart@gmail.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|Signed Off |Passed QA -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=36351 Jonathan Druart <jonathan.druart@gmail.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Attachment #163457|0 |1 is obsolete| | Attachment #163458|0 |1 is obsolete| | Attachment #163459|0 |1 is obsolete| | --- Comment #9 from Jonathan Druart <jonathan.druart@gmail.com> --- Created attachment 163489 --> https://bugs.koha-community.org/bugzilla3/attachment.cgi?id=163489&action=edit Bug 36351: Add CSRF tokens to advanced cataloguing editor POST requests The editor uses ajax post requests to SVC api. Becuase these apis are XML based requests, they must be handled in the simplest way, by embedding the token as a header To test: 1 - Browse to Cataloguing->Advanced editor 2 - Fill out needed values and save 3 - 403 error 4 - Apply patch 5 - Reload and try agian, success! 6 - Edit and save again, success! Signed-off-by: Nick Clemens <nick@bywatersolutions.com> Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org> -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=36351 --- Comment #10 from Jonathan Druart <jonathan.druart@gmail.com> --- Created attachment 163490 --> https://bugs.koha-community.org/bugzilla3/attachment.cgi?id=163490&action=edit Bug 36351: Fix http-client when response is not JSON Signed-off-by: Nick Clemens <nick@bywatersolutions.com> Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org> -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=36351 --- Comment #11 from Jonathan Druart <jonathan.druart@gmail.com> --- Created attachment 163491 --> https://bugs.koha-community.org/bugzilla3/attachment.cgi?id=163491&action=edit Bug 36351: Adjust saveRecord and _fromXMLStruct Using the new API Client means we need to handle some calls differently. the http-client is returning only the response, not the text, so we need to handle getting this out with a new async function (or promises, but this works) We also need to adjust _fromXMLStruct as we have reduced the levels in the response by the time it is called This now adds a new 'update' function to the cataloguing client as well. Eventually, this should all be using the REST API, but I think for now handling the non-standard responses gets it working again To test: To test: 1 - Browse to Cataloguing->Advanced editor 2 - New Record 3 - Enter values and save - confirm it works 4 - Confirm url now ends in : editor.pl#catalog/{biblionumber} and not editor.pl#new 5 - Save the record again, confirm biblio is updated and not saved as new Signed-off-by: Nick Clemens <nick@bywatersolutions.com> Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org> -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=36351 --- Comment #12 from Jonathan Druart <jonathan.druart@gmail.com> --- Created attachment 163492 --> https://bugs.koha-community.org/bugzilla3/attachment.cgi?id=163492&action=edit Bug 36351: Pretty the api-client Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org> -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=36351 --- Comment #13 from Katrin Fischer <katrin.fischer@bsz-bw.de> --- There are some new and some pre-existing translatability issues with this one, I filed a separate bug: Bug 36377 - Fix translatability issues in koha-backend.js -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=36351 Katrin Fischer <katrin.fischer@bsz-bw.de> changed: What |Removed |Added ---------------------------------------------------------------------------- Blocks| |36377 Referenced Bugs: https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=36377 [Bug 36377] Fix translatability issues in koha-backend.js -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=36351 Katrin Fischer <katrin.fischer@bsz-bw.de> changed: What |Removed |Added ---------------------------------------------------------------------------- Version(s)| |24.05.00 released in| | Status|Passed QA |Pushed to master -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=36351 --- Comment #14 from Katrin Fischer <katrin.fischer@bsz-bw.de> --- Pushed for 24.05! Well done everyone, thank you! -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=36351 Fridolin Somers <fridolin.somers@biblibre.com> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |fridolin.somers@biblibre.co | |m --- Comment #15 from Fridolin Somers <fridolin.somers@biblibre.com> --- Error in dependency bug number ? It is Bug 34478 "Full CSRF protection" right ? -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=36351 Lucas Gass <lucas@bywatersolutions.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Blocks| |36418 Referenced Bugs: https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=36418 [Bug 36418] Can't properly renew/checkin from issues-table -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=36351 Fridolin Somers <fridolin.somers@biblibre.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Depends on|34487 |34478 Referenced Bugs: https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=34478 [Bug 34478] Full CSRF protection -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=36351 Fridolin Somers <fridolin.somers@biblibre.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Resolution|--- |FIXED Status|Pushed to master |RESOLVED --- Comment #16 from Fridolin Somers <fridolin.somers@biblibre.com> --- (In reply to Fridolin Somers from comment #15)
Error in dependency bug number ? It is Bug 34478 "Full CSRF protection" right ?
I fixed it No backport -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=36351 Janusz Kaczmarek <januszop@gmail.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Blocks| |38082 Referenced Bugs: https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=38082 [Bug 38082] Advanced editor does not save the selected framework with new record -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=36351 Bug 36351 depends on bug 34478, which changed state. Bug 34478 Summary: Full CSRF protection https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=34478 What |Removed |Added ---------------------------------------------------------------------------- Status|Pushed to main |RESOLVED Resolution|--- |FIXED -- You are receiving this mail because: You are watching all bug changes.
participants (1)
-
bugzilla-daemon@bugs.koha-community.org