[Bug 37407] New: Fast Add / Fast Cataloging from patron checkout does not checkout item
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=37407 Bug ID: 37407 Summary: Fast Add / Fast Cataloging from patron checkout does not checkout item Change sponsored?: --- Product: Koha Version: 24.05 Hardware: All OS: All Status: NEW Severity: major Priority: P5 - low Component: Circulation Assignee: koha-bugs@lists.koha-community.org Reporter: bwsdonna@gmail.com QA Contact: testopia@bugs.koha-community.org CC: gmcharlt@gmail.com, kyle.m.hall@gmail.com To replicate: 1. Go to any patron checkout screen 2. Enter a barcode that is not in the system 3. Click on the "Add using Fast Cataloging" in Barcode not found warning 4. Enter bib/item info and click on Save 5. You are returned to the patron checkout screen but it is not checked out The bib record and item record are created, but staff will need to scan the item again in order to check it out. Since this is the workflow a lot of libraries use for ephemeral items, magazines, etc, this will add a lot of clicks and cause confusion. Worked as expected as late as 23.11.05 -- You are receiving this mail because: You are the assignee for the bug. You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=37407 Esther Melander <esther.melander@bywatersolutions.com> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |esther.melander@bywatersolu | |tions.com -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=37407 Brendan Lawlor <blawlor@clamsnet.org> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |blawlor@clamsnet.org -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=37407 Brendan Lawlor <blawlor@clamsnet.org> changed: What |Removed |Added ---------------------------------------------------------------------------- Blocks| |36192 --- Comment #1 from Brendan Lawlor <blawlor@clamsnet.org> --- This is related to CSRF protection because doing the checkout now requires op=cud-checkout. When you add the item, additem.pl does a redirect to circulation.pl, which is like a GET request so we can't just add the op to the redirect. # additem.pl line 491 if ( $frameworkcode eq 'FA' && $fa_circborrowernumber ) { print $input->redirect( '/cgi-bin/koha/circ/circulation.pl?' Probably not the best solution, but one thought I had was to populate the barcode field in circulation.tt and trigger the checkout button with javascript Referenced Bugs: https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=36192 [Bug 36192] [OMNIBUS] CSRF Protection for Koha -- You are receiving this mail because: You are the assignee for the bug. You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=37407 Andrew Fuerste-Henry <andrewfh@dubcolib.org> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |andrewfh@dubcolib.org -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=37407 David Cook <dcook@prosentient.com.au> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |dcook@prosentient.com.au --- Comment #2 from David Cook <dcook@prosentient.com.au> --- Yeah that's an interesting one. I suppose one option would be to do the redirect in a way that it re-populates the barcode input box, and then requires the user to actually click the checkout button again. On one hand, I don't love the GET request param being used to fill in the input box, but it's probably the shortest path forward. Plus, if we add data verification (like we should), we'd check that the URL parameter barcode actually exists in the database before popping it in the box. Not something I'm planning on working on ATM, but that's how I'd do it I think. -- You are receiving this mail because: You are the assignee for the bug. You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=37407 Brendan Lawlor <blawlor@clamsnet.org> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|NEW |Needs Signoff -- You are receiving this mail because: You are watching all bug changes. You are the assignee for the bug.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=37407 --- Comment #3 from Brendan Lawlor <blawlor@clamsnet.org> --- Created attachment 169316 --> https://bugs.koha-community.org/bugzilla3/attachment.cgi?id=169316&action=edit Bug 37407: Fill barcode field when fast cataloging from patron checkout This patch fills the barcode field on the patron checkout screen when an item is fast cataloged at checkout. Test plan: 1. Apply patch 2. Enter a barcode not in the system, eg 99999 3. Click '+ Add record using fast cataloging' 4. Fill required bib fields 000, 008 and 245a and click 'Save' 5. Add required item field y - Koha item type and click 'Add item' 6. Notice the barcode you entered previously is filled in the barcode field 7. Hit 'Enter' or click 'Checkout' and verify the item is checked out -- You are receiving this mail because: You are watching all bug changes. You are the assignee for the bug.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=37407 Catrina Berka <catrina@bywatersolutions.com> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |catrina@bywatersolutions.co | |m -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=37407 --- Comment #4 from Brendan Lawlor <blawlor@clamsnet.org> --- This could be added to the javascript on circulation tt to automatically submit the form, but I think that would go against the CSRF protection so I did not include that part in the patch. [% IF fa_barcode %] $('#mainform').submit(); [% END %] -- You are receiving this mail because: You are the assignee for the bug. You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=37407 --- Comment #5 from Donna <bwsdonna@gmail.com> --- I think the checkout should be automatic, since that is the behavior now. -- You are receiving this mail because: You are the assignee for the bug. You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=37407 --- Comment #6 from David Cook <dcook@prosentient.com.au> --- (In reply to Donna from comment #5)
I think the checkout should be automatic, since that is the behavior now.
If the checkout were to be automatic, it would have to be done on the additem.pl page, which is going to come with a number of issues and take a lot more work. With the redirect, as Brendan says, automatic checkout would be a CSRF vulnerability. An alternative to Brendan's patch would be for additem.pl to not redirect to circulation.pl, but rather to show a new confirmation asking if they wanted to checkout. They'd then click confirm, and that would POST back to circulation.pl. But either way the user is going to have an extra click without a significant. I think this is a pretty good compromise. At least for now. -- You are receiving this mail because: You are watching all bug changes. You are the assignee for the bug.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=37407 Brendan Lawlor <blawlor@clamsnet.org> changed: What |Removed |Added ---------------------------------------------------------------------------- Patch complexity|--- |Small patch -- You are receiving this mail because: You are the assignee for the bug. You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=37407 Brendan Lawlor <blawlor@clamsnet.org> changed: What |Removed |Added ---------------------------------------------------------------------------- Attachment #169316|0 |1 is obsolete| | --- Comment #7 from Brendan Lawlor <blawlor@clamsnet.org> --- Created attachment 169415 --> https://bugs.koha-community.org/bugzilla3/attachment.cgi?id=169415&action=edit Bug 37407: Fix automatic checkout for fast cataloging This patch adds a check for the referrer to the circulation page. If the referrer is from the same origin's additem.pl then get the barcode from the url parameters, fill the form and submit. Test plan: 1. Apply patch 2. Enter a barcode not in the system, eg 99999 3. Click '+ Add record using fast cataloging' 4. Fill required bib fields 000, 008 and 245a and click 'Save' 5. Add required item field y - Koha item type and click 'Add item' 6. Notice the barcode is filled and the form is submitted automatically 7. Confirm the item is checked out and the dutedate specified works 8. Add an html customization somewhere else in koha with a link like http://localhost:8081/cgi-bin/koha/circ/circulation.pl?borrowernumber=38&barcode=99999&duedatespec=&stickyduedate= 9. Click on the link to simulate a csrf attack 10. Confirm the checkout page is loaded for that patron but no checkout is made -- You are receiving this mail because: You are watching all bug changes. You are the assignee for the bug.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=37407 Brendan Lawlor <blawlor@clamsnet.org> changed: What |Removed |Added ---------------------------------------------------------------------------- Attachment #169415|0 |1 is obsolete| | --- Comment #8 from Brendan Lawlor <blawlor@clamsnet.org> --- Created attachment 169416 --> https://bugs.koha-community.org/bugzilla3/attachment.cgi?id=169416&action=edit Bug 37407: Fix automatic checkout for fast cataloging This patch adds a check for the referrer to the circulation page. If the referrer is from the same origin's additem.pl then get the barcode from the url parameters, fill the form and submit. Test plan: 1. Apply patch 2. Enter a barcode not in the system, eg 99999 3. Click '+ Add record using fast cataloging' 4. Fill required bib fields 000, 008 and 245a and click 'Save' 5. Add required item field y - Koha item type and click 'Add item' 6. Notice the barcode is filled and the form is submitted automatically 7. Confirm the item is checked out and the dutedate specified works 8. Add an html customization somewhere else in koha with a link like http://localhost:8081/cgi-bin/koha/circ/circulation.pl?borrowernumber=38&barcode=99999&duedatespec=&stickyduedate= 9. Click on the link to simulate a csrf attack 10. Confirm the checkout page is loaded for that patron but no checkout is made -- You are receiving this mail because: You are watching all bug changes. You are the assignee for the bug.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=37407 --- Comment #9 from Brendan Lawlor <blawlor@clamsnet.org> --- The latest patch is pure javascript so until this bug is resolved this can be added to IntranetUserJS as a workaround: $(document).ready(function() { // Handle checkout for fast cataloging // Check the referrer to prevent csrf, fill and submit form if(document.referrer.split('?')[0] === window.location.origin +'/cgi-bin/koha/cataloguing/additem.pl') { let urlParams = new URLSearchParams(window.location.search); let barcode = urlParams.get('barcode'); $('#barcode').val(barcode); $('#mainform').submit(); } }); This code checks that the referrer is the same origin and from the additem page, but it might not be as secure as the token based csrf protection. -- You are receiving this mail because: You are the assignee for the bug. You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=37407 Lucas Gass <lucas@bywatersolutions.com> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |lucas@bywatersolutions.com -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=37407 Lucas Gass <lucas@bywatersolutions.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Version|24.05 |Main -- You are receiving this mail because: You are watching all bug changes. You are the assignee for the bug.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=37407 Eric Garcia <cubingguy714@gmail.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|Needs Signoff |Signed Off -- You are receiving this mail because: You are the assignee for the bug. You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=37407 Eric Garcia <cubingguy714@gmail.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Attachment #169416|0 |1 is obsolete| | --- Comment #10 from Eric Garcia <cubingguy714@gmail.com> --- Created attachment 169502 --> https://bugs.koha-community.org/bugzilla3/attachment.cgi?id=169502&action=edit Bug 37407: Fix automatic checkout for fast cataloging This patch adds a check for the referrer to the circulation page. If the referrer is from the same origin's additem.pl then get the barcode from the url parameters, fill the form and submit. Test plan: 1. Apply patch 2. Enter a barcode not in the system, eg 99999 3. Click '+ Add record using fast cataloging' 4. Fill required bib fields 000, 008 and 245a and click 'Save' 5. Add required item field y - Koha item type and click 'Add item' 6. Notice the barcode is filled and the form is submitted automatically 7. Confirm the item is checked out and the dutedate specified works 8. Add an html customization somewhere else in koha with a link like http://localhost:8081/cgi-bin/koha/circ/circulation.pl?borrowernumber=38&barcode=99999&duedatespec=&stickyduedate= 9. Click on the link to simulate a csrf attack 10. Confirm the checkout page is loaded for that patron but no checkout is made Signed-off-by: Eric Garcia <cubingguy714@gmail.com> -- You are receiving this mail because: You are the assignee for the bug. You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=37407 --- Comment #11 from David Cook <dcook@prosentient.com.au> --- At a glance, this should work, but... conventional wisdom is that HTTP Referer/document.referrer shouldn't be used for security. This feels like a workaround. That said, at the moment, I can't see a particular technical flaw in it. In the context that document.referrer is being used... I can't see a way it could be manipulated to trigger this form submit (other than XSS but that's an issue for token based anti-CSRF too). I thought Javascript could manipulate the Referer for AJAX requests, but the Internet tells me that's not the case. So yeah... I think this is OK, but I don't like it. So I won't Fail QA, but I'm not going to Pass QA either. A different QAer may feel differently. -- You are receiving this mail because: You are the assignee for the bug. You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=37407 Kyle M Hall <kyle@bywatersolutions.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|Signed Off |Passed QA -- You are receiving this mail because: You are the assignee for the bug. You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=37407 Kyle M Hall <kyle@bywatersolutions.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Attachment #169502|0 |1 is obsolete| | --- Comment #12 from Kyle M Hall <kyle@bywatersolutions.com> --- Created attachment 169602 --> https://bugs.koha-community.org/bugzilla3/attachment.cgi?id=169602&action=edit Bug 37407: Fix automatic checkout for fast cataloging This patch adds a check for the referrer to the circulation page. If the referrer is from the same origin's additem.pl then get the barcode from the url parameters, fill the form and submit. Test plan: 1. Apply patch 2. Enter a barcode not in the system, eg 99999 3. Click '+ Add record using fast cataloging' 4. Fill required bib fields 000, 008 and 245a and click 'Save' 5. Add required item field y - Koha item type and click 'Add item' 6. Notice the barcode is filled and the form is submitted automatically 7. Confirm the item is checked out and the dutedate specified works 8. Add an html customization somewhere else in koha with a link like http://localhost:8081/cgi-bin/koha/circ/circulation.pl?borrowernumber=38&barcode=99999&duedatespec=&stickyduedate= 9. Click on the link to simulate a csrf attack 10. Confirm the checkout page is loaded for that patron but no checkout is made Signed-off-by: Eric Garcia <cubingguy714@gmail.com> Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com> -- You are receiving this mail because: You are watching all bug changes. You are the assignee for the bug.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=37407 Kyle M Hall <kyle@bywatersolutions.com> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |kyle@bywatersolutions.com --- Comment #13 from Kyle M Hall <kyle@bywatersolutions.com> --- I've been unable to find a better solution either. -- You are receiving this mail because: You are the assignee for the bug. You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=37407 Brendan Lawlor <blawlor@clamsnet.org> changed: What |Removed |Added ---------------------------------------------------------------------------- Assignee|koha-bugs@lists.koha-commun |blawlor@clamsnet.org |ity.org | -- You are receiving this mail because: You are watching all bug changes. You are the assignee for the bug.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=37407 Martin Renvoize <martin.renvoize@ptfs-europe.com> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |martin.renvoize@ptfs-europe | |.com QA Contact|testopia@bugs.koha-communit |kyle@bywatersolutions.com |y.org | -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=37407 Martin Renvoize <martin.renvoize@ptfs-europe.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|Passed QA |Pushed to main Version(s)| |24.11.00 released in| | -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=37407 --- Comment #14 from Martin Renvoize <martin.renvoize@ptfs-europe.com> --- Thanks for all the hard work! Pushed to main for the next 24.11.00 release as RM Assistant -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=37407 Katrin Fischer <katrin.fischer@bsz-bw.de> changed: What |Removed |Added ---------------------------------------------------------------------------- Summary|Fast Add / Fast Cataloging |Fast add / fast cataloging |from patron checkout does |from patron checkout does |not checkout item |not checkout item -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=37407 Katie Bliss <kebliss@dmpl.org> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |kebliss@dmpl.org -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=37407 Lucas Gass <lucas@bywatersolutions.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Version(s)|24.11.00 |24.11.00,24.05.04 released in| | Status|Pushed to main |Pushed to stable --- Comment #15 from Lucas Gass <lucas@bywatersolutions.com> --- Backported to 24.05.x for upcoming 24.05.04 -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=37407 Fridolin Somers <fridolin.somers@biblibre.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|Pushed to stable |Needs documenting CC| |fridolin.somers@biblibre.co | |m --- Comment #16 from Fridolin Somers <fridolin.somers@biblibre.com> --- "cud-" not in 23.11.x -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=37407 Brendan Lawlor <blawlor@clamsnet.org> changed: What |Removed |Added ---------------------------------------------------------------------------- Blocks| |38649 Referenced Bugs: https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=38649 [Bug 38649] Searching for a patron from additem.pl triggers an issue slip to print -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=37407 Jonathan Druart <jonathan.druart@gmail.com> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |jonathan.druart@gmail.com --- Comment #17 from Jonathan Druart <jonathan.druart@gmail.com> --- I am seeing this error in the console: Uncaught TypeError: document.referrer.split(...)[1] is undefined To recreate just hit http://localhost:8081/cgi-bin/koha/circ/circulation.pl?borrowernumber=5 -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=37407 --- Comment #18 from Jonathan Druart <jonathan.druart@gmail.com> --- (In reply to Jonathan Druart from comment #17)
I am seeing this error in the console:
Uncaught TypeError: document.referrer.split(...)[1] is undefined
To recreate just hit http://localhost:8081/cgi-bin/koha/circ/circulation.pl?borrowernumber=5
See bug 39307. -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=37407 Jonathan Druart <jonathan.druart@gmail.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Blocks| |39307 Referenced Bugs: https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=39307 [Bug 39307] console.error on circ/circulation.pl page -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=37407 Jonathan Druart <jonathan.druart@gmail.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Blocks|39307 | Referenced Bugs: https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=39307 [Bug 39307] console.error on circ/circulation.pl page -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=37407 Jonathan Druart <jonathan.druart@gmail.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Blocks| |39307 Referenced Bugs: https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=39307 [Bug 39307] console.error on circ/circulation.pl page -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=37407 Caroline Cyr La Rose <caroline.cyr-la-rose@inlibro.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|Needs documenting |RESOLVED Resolution|--- |FIXED --- Comment #19 from Caroline Cyr La Rose <caroline.cyr-la-rose@inlibro.com> --- Bug fix, nothing to change in the manual. -- You are receiving this mail because: You are watching all bug changes.
participants (1)
-
bugzilla-daemon@bugs.koha-community.org