[Bug 34650] New: Editing/deleting lists from toolbar on virtualshelves/shelves.pl causes CSRF error
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=34650 Bug ID: 34650 Summary: Editing/deleting lists from toolbar on virtualshelves/shelves.pl causes CSRF error Change sponsored?: --- Product: Koha Version: master Hardware: All OS: All Status: NEW Severity: enhancement Priority: P5 - low Component: Lists Assignee: koha-bugs@lists.koha-community.org Reporter: lucas@bywatersolutions.com QA Contact: testopia@bugs.koha-community.org CC: m.de.rooy@rijksmuseum.nl To recreate: 1. Add a list 2. Go to that list ( virtualshelves/shelves.pl?op=view&shelfnumber=X ) 3. From the toolbar click the 'Edit' dropdown. 4. From the dropdown try either 'Edit list' or 'Delete list'. 5. CSRF error -- You are receiving this mail because: You are watching all bug changes. You are the assignee for the bug.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=34650 Lucas Gass <lucas@bywatersolutions.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Severity|enhancement |normal -- You are receiving this mail because: You are watching all bug changes. You are the assignee for the bug.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=34650 Lucas Gass <lucas@bywatersolutions.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Depends on| |22990 -- You are receiving this mail because: You are watching all bug changes. You are the assignee for the bug.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=34650 Lucas Gass <lucas@bywatersolutions.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|NEW |Needs Signoff -- You are receiving this mail because: You are watching all bug changes. You are the assignee for the bug.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=34650 --- Comment #1 from Lucas Gass <lucas@bywatersolutions.com> --- Created attachment 154926 --> https://bugs.koha-community.org/bugzilla3/attachment.cgi?id=154926&action=edit Bug 34650: Add CSRF token to edit/delete toolbar links To test: 1. Add a list 2. Go to that list ( virtualshelves/shelves.pl?op=view&shelfnumber=X ) 3. From the toolbar click the 'Edit' dropdown. 4. From the dropdown try either 'Edit list' or 'Delete list'. 5. CSRF error 6. APPLY PATCH 7. Try 2 - 4 again, no more error. -- You are receiving this mail because: You are the assignee for the bug. You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=34650 Lucas Gass <lucas@bywatersolutions.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Assignee|koha-bugs@lists.koha-commun |lucas@bywatersolutions.com |ity.org | Patch complexity|--- |Trivial patch -- You are receiving this mail because: You are the assignee for the bug. You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=34650 David Cook <dcook@prosentient.com.au> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |dcook@prosentient.com.au --- Comment #2 from David Cook <dcook@prosentient.com.au> --- Technically, we should be looking at changing these GETs to POSTs, although I don't know if we have at-hand styling to do that. I will take a quick look to see if I can do a little alternative. If not, I'll sign off... -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=34650 --- Comment #3 from David Cook <dcook@prosentient.com.au> --- op=edit_form shouldn't need a CSRF token either since it's not state changing... -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=34650 --- Comment #4 from David Cook <dcook@prosentient.com.au> --- (In reply to David Cook from comment #3)
op=edit_form shouldn't need a CSRF token either since it's not state changing...
I mean the previous change wasn't correct. -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=34650 David Cook <dcook@prosentient.com.au> changed: What |Removed |Added ---------------------------------------------------------------------------- Attachment #154926|0 |1 is obsolete| | --- Comment #5 from David Cook <dcook@prosentient.com.au> --- Created attachment 154933 --> https://bugs.koha-community.org/bugzilla3/attachment.cgi?id=154933&action=edit Bug 34650: Remove unnecessary CSRF check on edit_form The op "edit_form" doesn't change state. It just renders the edit form. Therefore, it doesn't need a CSRF token/check. -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=34650 --- Comment #6 from David Cook <dcook@prosentient.com.au> --- Created attachment 154934 --> https://bugs.koha-community.org/bugzilla3/attachment.cgi?id=154934&action=edit Bug 34650: Convert list toolbar delete into form POST This patch adds a HTML form with a CSRF token to POST the list delete, which is triggered by a click handler on the A element. The A element is still needed for existing style reasons. Test plan: 0. Apply patch 1. koha-plack --reload kohadev 2. In the staff interface, add a list 3. Go into that list (e.g. virtualshelves/shelves.pl?op=view&shelfnumber=X) 4. From the toolbar click the "Edit" dropdown 5. From the dropdown try either "Edit list" or "Delete list" 6. Note no CSRF error and operation completes as expected -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=34650 --- Comment #7 from David Cook <dcook@prosentient.com.au> --- Sorry for taking this one over, Lucas, but I think this is a better way to go. -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=34650 Lucas Gass <lucas@bywatersolutions.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Assignee|lucas@bywatersolutions.com |dcook@prosentient.com.au -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=34650 --- Comment #8 from Lucas Gass <lucas@bywatersolutions.com> --- (In reply to David Cook from comment #7)
Sorry for taking this one over, Lucas, but I think this is a better way to go.
No problem, thanks! -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=34650 Lucas Gass <lucas@bywatersolutions.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|Needs Signoff |Signed Off -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=34650 Lucas Gass <lucas@bywatersolutions.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Attachment #154933|0 |1 is obsolete| | --- Comment #9 from Lucas Gass <lucas@bywatersolutions.com> --- Created attachment 154955 --> https://bugs.koha-community.org/bugzilla3/attachment.cgi?id=154955&action=edit Bug 34650: Remove unnecessary CSRF check on edit_form The op "edit_form" doesn't change state. It just renders the edit form. Therefore, it doesn't need a CSRF token/check. Signed-off-by: Lucas Gass <lucas@bywatersolutions.com> -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=34650 Lucas Gass <lucas@bywatersolutions.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Attachment #154934|0 |1 is obsolete| | --- Comment #10 from Lucas Gass <lucas@bywatersolutions.com> --- Created attachment 154956 --> https://bugs.koha-community.org/bugzilla3/attachment.cgi?id=154956&action=edit Bug 34650: Convert list toolbar delete into form POST This patch adds a HTML form with a CSRF token to POST the list delete, which is triggered by a click handler on the A element. The A element is still needed for existing style reasons. Test plan: 0. Apply patch 1. koha-plack --reload kohadev 2. In the staff interface, add a list 3. Go into that list (e.g. virtualshelves/shelves.pl?op=view&shelfnumber=X) 4. From the toolbar click the "Edit" dropdown 5. From the dropdown try either "Edit list" or "Delete list" 6. Note no CSRF error and operation completes as expected Signed-off-by: Lucas Gass <lucas@bywatersolutions.com> -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=34650 Marcel de Rooy <m.de.rooy@rijksmuseum.nl> changed: What |Removed |Added ---------------------------------------------------------------------------- QA Contact|testopia@bugs.koha-communit |m.de.rooy@rijksmuseum.nl |y.org | --- Comment #11 from Marcel de Rooy <m.de.rooy@rijksmuseum.nl> --- Looking here -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=34650 Marcel de Rooy <m.de.rooy@rijksmuseum.nl> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|Signed Off |Passed QA -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=34650 Marcel de Rooy <m.de.rooy@rijksmuseum.nl> changed: What |Removed |Added ---------------------------------------------------------------------------- Attachment #154955|0 |1 is obsolete| | --- Comment #12 from Marcel de Rooy <m.de.rooy@rijksmuseum.nl> --- Created attachment 155089 --> https://bugs.koha-community.org/bugzilla3/attachment.cgi?id=155089&action=edit Bug 34650: Remove unnecessary CSRF check on edit_form The op "edit_form" doesn't change state. It just renders the edit form. Therefore, it doesn't need a CSRF token/check. Signed-off-by: Lucas Gass <lucas@bywatersolutions.com> Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl> -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=34650 Marcel de Rooy <m.de.rooy@rijksmuseum.nl> changed: What |Removed |Added ---------------------------------------------------------------------------- Attachment #154956|0 |1 is obsolete| | --- Comment #13 from Marcel de Rooy <m.de.rooy@rijksmuseum.nl> --- Created attachment 155090 --> https://bugs.koha-community.org/bugzilla3/attachment.cgi?id=155090&action=edit Bug 34650: Convert list toolbar delete into form POST This patch adds a HTML form with a CSRF token to POST the list delete, which is triggered by a click handler on the A element. The A element is still needed for existing style reasons. Test plan: 0. Apply patch 1. koha-plack --reload kohadev 2. In the staff interface, add a list 3. Go into that list (e.g. virtualshelves/shelves.pl?op=view&shelfnumber=X) 4. From the toolbar click the "Edit" dropdown 5. From the dropdown try either "Edit list" or "Delete list" 6. Note no CSRF error and operation completes as expected Signed-off-by: Lucas Gass <lucas@bywatersolutions.com> Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl> -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=34650 Tomás Cohen Arazi <tomascohen@gmail.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|Passed QA |Pushed to master Version(s)| |23.11.00 released in| | -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=34650 --- Comment #14 from Tomás Cohen Arazi <tomascohen@gmail.com> --- Pushed to master for 23.11. Nice work everyone, thanks! -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=34650 Elise K. <elise.konya@bywatersolutions.com> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |elise.konya@bywatersolution | |s.com --- Comment #15 from Elise K. <elise.konya@bywatersolutions.com> --- Would it be possible to backport this to oldstable and oldoldstable? Thanks, all! -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=34650 George Williams (NEKLS) <george@nekls.org> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |george@nekls.org --- Comment #16 from George Williams (NEKLS) <george@nekls.org> --- (In reply to Elise Konya from comment #15)
Would it be possible to backport this to oldstable and oldoldstable? Thanks, all!
+1 -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=34650 Fridolin Somers <fridolin.somers@biblibre.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|Pushed to master |Pushed to stable Version(s)|23.11.00 |23.11.00,23.05.04 released in| | CC| |fridolin.somers@biblibre.co | |m --- Comment #17 from Fridolin Somers <fridolin.somers@biblibre.com> --- Pushed to 23.05.x for 23.05.04 -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=34650 Matt Blenkinsop <matt.blenkinsop@ptfs-europe.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Version(s)|23.11.00,23.05.04 |23.11.00,23.05.04,22.11.10 released in| | Status|Pushed to stable |Pushed to oldstable -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=34650 --- Comment #18 from Matt Blenkinsop <matt.blenkinsop@ptfs-europe.com> --- Nice work everyone! Pushed to oldstable for 22.11.x -- You are receiving this mail because: You are watching all bug changes.
participants (1)
-
bugzilla-daemon@bugs.koha-community.org