https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=37853
Bug ID: 37853
Summary: Returning to your account at the end of changing your
password in the OPAC doesn't need to POST a form
Change sponsored?: ---
Product: Koha
Version: Main
Hardware: All
OS: All
Status: NEW
Severity: normal
Priority: P3
Component: OPAC
Assignee: [email protected]
Reporter: [email protected]
QA Contact: [email protected]
Depends on: 36192
Blocks: 37728
The end of the UI flow of changing your password in the OPAC is a page which
tells you your password was changed (good, you need to know it's time to log
out and back in to change your saved password, or that it's time to scribble
out the old one on a Post-it and write down the new one), and then offers to
take you back to your account with a button in a form which does a POST to
opac-user.pl without an op and with your borrowernumber, which is double-bad.
We intend not to allow POST without an op, and once the test is fixed in bug
37728 this will fail, and there's no need for the borrowernumber since it will
be completely ignored by the script, which will instead get it from your cookie
or make you log in.
Instead of a form+button+POST, it should just be a link.
Referenced Bugs:
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=36192
[Bug 36192] [OMNIBUS] CSRF Protection for Koha
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=37728
[Bug 37728] More "op" are missing in POSTed forms
--
You are receiving this mail because:
You are watching all bug changes.
_______________________________________________
Koha-bugs mailing list
[email protected]
https://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs
website : http://www.koha-community.org/
git : http://git.koha-community.org/
bugs : http://bugs.koha-community.org/
