https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=37769
Bug ID: 37769
Summary: Fix forms that POST without an op in currency
administration
Change sponsored?: ---
Product: Koha
Version: Main
Hardware: All
OS: All
Status: NEW
Severity: normal
Priority: P3
Component: System Administration
Assignee: [email protected]
Reporter: [email protected]
QA Contact: [email protected]
CC: [email protected]
Depends on: 36192
Blocks: 37728
We intend not to have forms with method="post" without an op variable (so we
can check that the op starts with "cud-" as part of the CSRF protection), but
because of bug 37728 some were missed.
In Currency and exchange rate administration, that's the "OK" button that takes
you back to the list when you try to delete a currency in use by a vendor,
which doesn't need to POST, and the OK button in the confirmation page after
you delete a currency, which currently doesn't actually show at all, but when
it does doesn't need to POST since it just takes you back to the list of
currencies.
Referenced Bugs:
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=36192
[Bug 36192] [OMNIBUS] CSRF Protection for Koha
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=37728
[Bug 37728] More "op" are missing in POSTed forms
--
You are receiving this mail because:
You are watching all bug changes.
_______________________________________________
Koha-bugs mailing list
[email protected]
https://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs
website : http://www.koha-community.org/
git : http://git.koha-community.org/
bugs : http://bugs.koha-community.org/
