[koha-commits] main Koha release repository branch 18.11.x updated. v18.11.14-12-g7d0a022977

Git repo owner gitmaster at git.koha-community.org
Tue Mar 24 03:29:45 CET 2020 

This is an automated email from the git hooks/post-receive script. It was
generated because a ref change was pushed to the repository containing
the project "main Koha release repository".

The branch, 18.11.x has been updated
       via  7d0a0229778ba594032569c03b4042d56e5da930 (commit)
      from  f97f271fd2a4e68c4ec02b940f521d648867efb5 (commit)

Those revisions listed above that are new to this repository have
not appeared on any other notification email; so we list those
revisions in full, below.

- Log -----------------------------------------------------------------
commit 7d0a0229778ba594032569c03b4042d56e5da930
Author: David Cook <dcook at prosentient.com.au>
Date:   Mon Feb 17 06:50:49 2020 +0000

    Bug 24673: Add CSRF token support to opac-messaging.pl
    
    This patch adds CSRF token support to opac-messaging.pl,
    which allows users to manually update their messaging preferences,
    but prevents bad actors from tricking people into updating their
    preferences from cross-site requests.
    
    Test plan:
    0. Set SMSSendDriver global system preference to "Test" if unset
    1. Log into the OPAC
    2. Navigate to a URL in your browser like the following:
    http://localhost:8080/cgi-bin/koha/opac-messaging.pl?modify=yes
    &1=email&digest=1&2-DAYS=5&2=email&digest=2&4=email&SMSnumber=0444444444
    3. Observe that the preference and SMS number update
    
    4. Apply the patch
    
    5. Navigate to a URL in your browser like the following:
    http://localhost:8080/cgi-bin/koha/opac-messaging.pl?modify=yes
    &1=email&digest=1&2-DAYS=5&2=email&digest=2&4=email&SMSnumber=0444444444
    6. Observe that you get an error message of "Wrong CSRF token" instead
    of the previous behaviour
    7. Navigate to a URL in your browser like the following:
    http://localhost:8080/cgi-bin/koha/opac-messaging.pl
    8. Update "Advance notice" to 3 and update "SMS number" to 61111111111
    9. Observe that the "Advance notice" and "SMS number" fields update
    correctly
    
    Signed-off-by: Jonathan Druart <jonathan.druart at bugs.koha-community.org>
    
    Signed-off-by: Joy Nelson <joy at bywatersolutions.com>
    (cherry picked from commit 35cdeadbdfbf75731688f71778756aab73ffb824)
    
    Signed-off-by: Hayley Mapley <hayleymapley at catalyst.net.nz>
    
    Signed-off-by: Hayley Mapley <hayleymapley at catalyst.net.nz>

-----------------------------------------------------------------------

Summary of changes:
 koha-tmpl/opac-tmpl/bootstrap/en/modules/opac-messaging.tt |  1 +
 opac/opac-messaging.pl                                     | 13 +++++++++++++
 2 files changed, 14 insertions(+)


hooks/post-receive
-- 
main Koha release repository

More information about the koha-commits mailing list