[Bug 21993] New: Be userfriendly when the CSRF token is wrong
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=21993 Bug ID: 21993 Summary: Be userfriendly when the CSRF token is wrong Change sponsored?: --- Product: Koha Version: unspecified Hardware: All OS: All Status: ASSIGNED Severity: enhancement Priority: P5 - low Component: Architecture, internals, and plumbing Assignee: jonathan.druart@bugs.koha-community.org Reporter: jonathan.druart@bugs.koha-community.org QA Contact: testopia@bugs.koha-community.org We can use output_and_exit (with blocking_errors.inc) to handle this case in a user friendly manner. -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=21993 Jonathan Druart <jonathan.druart@bugs.koha-community.org> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|ASSIGNED |Needs Signoff -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=21993 --- Comment #1 from Jonathan Druart <jonathan.druart@bugs.koha-community.org> --- Created attachment 83142 --> https://bugs.koha-community.org/bugzilla3/attachment.cgi?id=83142&action=edit Bug 21993: Display a user-friendly message when the CSRF token is wrong Instead of dying! Test plan: Assuming you have a patron with borrowernumber=51 and another one that can be deleted with borrowernumber=42 - authorities-home.pl * Delete an authority record * hit /cgi-bin/koha/authorities/authorities-home.pl?op=delete - basket/sendbasket.pl * Send a basket to someone * hit /cgi-bin/koha/basket/sendbasket.pl?email_add=1 - members/apikeys.pl * Generate and delete an API key for a patron * hit /cgi-bin/koha/members/apikeys.pl?patron_id=51&op=delete - members/deletemem.pl * Delete a patron * hit /cgi-bin/koha/members/deletemem.pl?member=42&op=delete_confirmed - members/mancredit.pl * Add a manual credit * hit /cgi-bin/koha/members/mancredit.pl?borrowernumber=51&add=1 - members/maninvoice.pl * Add a manual invoice * hit /cgi-bin/koha/members/maninvoice.pl?borrowernumber=51&add=1 - members/member-flags.pl * Change permissions for a patron * hit /cgi-bin/koha/members/member-flags.pl?member=51&newflags=1 - members/member-password.pl * Change the password for a patron (from the staff interface) * hit /cgi-bin/koha/members/member-password.pl?member=51&newpassword=aA1 - members/memberentry.pl * Edit some patron's info * hit /cgi-bin/koha/members/memberentry.pl?borrowernumber=51&op=save - members/paycollect.pl * Pay an individual fine * hit something like /cgi-bin/koha/members/paycollect.pl?borrowernumber=51&pay_individual=1&accounttype=L&amount=1.00&amountoutstanding=1.00&accountlines_id=157&paid=1 You may need to edit some values - tools/import_borrowers.pl * Import some patrons * hit /cgi-bin/koha/tools/import_borrowers.pl?uploadborrowers=1 - tools/picture-upload.pl * Upload an image for a patron * You will need to edit the html content hit Home › Tools › Upload patron images then locate the csrf_token input and modify its value Note for QA: - Opac is not done as blocking_errors.inc does not exist for this interface - ill/ill-requests.pl I did not manage to replace this occurrence -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=21993 Tomás Cohen Arazi <tomascohen@gmail.com> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |tomascohen@gmail.com --- Comment #2 from Tomás Cohen Arazi <tomascohen@gmail.com> --- I love this patch :-D -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=21993 Tomás Cohen Arazi <tomascohen@gmail.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Version|unspecified |master -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=21993 Josef Moravec <josef.moravec@gmail.com> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |josef.moravec@gmail.com -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=21993 Owen Leonard <oleonard@myacpl.org> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|Needs Signoff |Signed Off Patch complexity|--- |Small patch -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=21993 Owen Leonard <oleonard@myacpl.org> changed: What |Removed |Added ---------------------------------------------------------------------------- Attachment #83142|0 |1 is obsolete| | --- Comment #3 from Owen Leonard <oleonard@myacpl.org> --- Created attachment 83389 --> https://bugs.koha-community.org/bugzilla3/attachment.cgi?id=83389&action=edit Bug 21993: Display a user-friendly message when the CSRF token is wrong Instead of dying! Test plan: Assuming you have a patron with borrowernumber=51 and another one that can be deleted with borrowernumber=42 - authorities-home.pl * Delete an authority record * hit /cgi-bin/koha/authorities/authorities-home.pl?op=delete - basket/sendbasket.pl * Send a basket to someone * hit /cgi-bin/koha/basket/sendbasket.pl?email_add=1 - members/apikeys.pl * Generate and delete an API key for a patron * hit /cgi-bin/koha/members/apikeys.pl?patron_id=51&op=delete - members/deletemem.pl * Delete a patron * hit /cgi-bin/koha/members/deletemem.pl?member=42&op=delete_confirmed - members/mancredit.pl * Add a manual credit * hit /cgi-bin/koha/members/mancredit.pl?borrowernumber=51&add=1 - members/maninvoice.pl * Add a manual invoice * hit /cgi-bin/koha/members/maninvoice.pl?borrowernumber=51&add=1 - members/member-flags.pl * Change permissions for a patron * hit /cgi-bin/koha/members/member-flags.pl?member=51&newflags=1 - members/member-password.pl * Change the password for a patron (from the staff interface) * hit /cgi-bin/koha/members/member-password.pl?member=51&newpassword=aA1 - members/memberentry.pl * Edit some patron's info * hit /cgi-bin/koha/members/memberentry.pl?borrowernumber=51&op=save - members/paycollect.pl * Pay an individual fine * hit something like /cgi-bin/koha/members/paycollect.pl?borrowernumber=51&pay_individual=1&accounttype=L&amount=1.00&amountoutstanding=1.00&accountlines_id=157&paid=1 You may need to edit some values - tools/import_borrowers.pl * Import some patrons * hit /cgi-bin/koha/tools/import_borrowers.pl?uploadborrowers=1 - tools/picture-upload.pl * Upload an image for a patron * You will need to edit the html content hit Home › Tools › Upload patron images then locate the csrf_token input and modify its value Note for QA: - Opac is not done as blocking_errors.inc does not exist for this interface - ill/ill-requests.pl I did not manage to replace this occurrence Signed-off-by: Owen Leonard <oleonard@myacpl.org> -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=21993 Tomás Cohen Arazi <tomascohen@gmail.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Attachment #83389|0 |1 is obsolete| | --- Comment #4 from Tomás Cohen Arazi <tomascohen@gmail.com> --- Created attachment 83675 --> https://bugs.koha-community.org/bugzilla3/attachment.cgi?id=83675&action=edit Bug 21993: Display a user-friendly message when the CSRF token is wrong Instead of dying! Test plan: Assuming you have a patron with borrowernumber=51 and another one that can be deleted with borrowernumber=42 - authorities-home.pl * Delete an authority record * hit /cgi-bin/koha/authorities/authorities-home.pl?op=delete - basket/sendbasket.pl * Send a basket to someone * hit /cgi-bin/koha/basket/sendbasket.pl?email_add=1 - members/apikeys.pl * Generate and delete an API key for a patron * hit /cgi-bin/koha/members/apikeys.pl?patron_id=51&op=delete - members/deletemem.pl * Delete a patron * hit /cgi-bin/koha/members/deletemem.pl?member=42&op=delete_confirmed - members/mancredit.pl * Add a manual credit * hit /cgi-bin/koha/members/mancredit.pl?borrowernumber=51&add=1 - members/maninvoice.pl * Add a manual invoice * hit /cgi-bin/koha/members/maninvoice.pl?borrowernumber=51&add=1 - members/member-flags.pl * Change permissions for a patron * hit /cgi-bin/koha/members/member-flags.pl?member=51&newflags=1 - members/member-password.pl * Change the password for a patron (from the staff interface) * hit /cgi-bin/koha/members/member-password.pl?member=51&newpassword=aA1 - members/memberentry.pl * Edit some patron's info * hit /cgi-bin/koha/members/memberentry.pl?borrowernumber=51&op=save - members/paycollect.pl * Pay an individual fine * hit something like /cgi-bin/koha/members/paycollect.pl?borrowernumber=51&pay_individual=1&accounttype=L&amount=1.00&amountoutstanding=1.00&accountlines_id=157&paid=1 You may need to edit some values - tools/import_borrowers.pl * Import some patrons * hit /cgi-bin/koha/tools/import_borrowers.pl?uploadborrowers=1 - tools/picture-upload.pl * Upload an image for a patron * You will need to edit the html content hit Home › Tools › Upload patron images then locate the csrf_token input and modify its value Note for QA: - Opac is not done as blocking_errors.inc does not exist for this interface - ill/ill-requests.pl I did not manage to replace this occurrence Signed-off-by: Owen Leonard <oleonard@myacpl.org> Signed-off-by: Tomas Cohen Arazi <tomascohen@theke.io> -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=21993 Tomás Cohen Arazi <tomascohen@gmail.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|Signed Off |Passed QA --- Comment #5 from Tomás Cohen Arazi <tomascohen@gmail.com> --- Great idea! -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=21993 Tomás Cohen Arazi <tomascohen@gmail.com> changed: What |Removed |Added ---------------------------------------------------------------------------- QA Contact|testopia@bugs.koha-communit |tomascohen@gmail.com |y.org | -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=21993 Nick Clemens <nick@bywatersolutions.com> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |nick@bywatersolutions.com Status|Passed QA |Pushed to Master --- Comment #6 from Nick Clemens <nick@bywatersolutions.com> --- Awesome work all! Pushed to master for 19.05 -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=21993 Martin Renvoize <martin.renvoize@ptfs-europe.com> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |martin.renvoize@ptfs-europe | |.com Status|Pushed to Master |Pushed to Stable --- Comment #7 from Martin Renvoize <martin.renvoize@ptfs-europe.com> --- This enhancement verges on a bug and as such I've backported it to 18.11.x series for 18.11.03 -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=21993 --- Comment #8 from Tomás Cohen Arazi <tomascohen@gmail.com> --- (In reply to Martin Renvoize from comment #7)
This enhancement verges on a bug and as such I've backported it to 18.11.x series for 18.11.03
Agreed! Great! -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=21993 Lucas Gass <lucas@bywatersolutions.com> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |lucas@bywatersolutions.com --- Comment #9 from Lucas Gass <lucas@bywatersolutions.com> --- cant apply cleanly to 18.05.x needs rebase -- You are receiving this mail because: You are watching all bug changes.
participants (1)
-
bugzilla-daemon@bugs.koha-community.org