[Koha-bugs] [Bug 37766] Fix forms that POST without an op in MARC bibliographic frameworks
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=37766 Bug 37766 depends on bug 36192, which changed state. Bug 36192 Summary: [OMNIBUS] CSRF Protection for Koha https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=36192 What|Removed |Added Status|ASSIGNED|RESOLVED Resolution|--- |FIXED -- You are receiving this mail because: You are watching all bug changes. ___ Koha-bugs mailing list Koha-bugs@lists.koha-community.org https://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs website : http://www.koha-community.org/ git : http://git.koha-community.org/ bugs : http://bugs.koha-community.org/
[Koha-bugs] [Bug 37766] Fix forms that POST without an op in MARC bibliographic frameworks
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=37766 Aude Charillon changed: What|Removed |Added Status|Needs documenting |RESOLVED Resolution|--- |FIXED CC||aude.charillon@ptfs-europe. ||com --- Comment #13 from Aude Charillon --- No need for update to Koha Manual. -- You are receiving this mail because: You are watching all bug changes. ___ Koha-bugs mailing list Koha-bugs@lists.koha-community.org https://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs website : http://www.koha-community.org/ git : http://git.koha-community.org/ bugs : http://bugs.koha-community.org/
[Koha-bugs] [Bug 37766] Fix forms that POST without an op in MARC bibliographic frameworks
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=37766 Fridolin Somers changed: What|Removed |Added CC||fridolin.som...@biblibre.co ||m Status|Pushed to stable|Needs documenting --- Comment #12 from Fridolin Somers --- Not for 23.11.x -- You are receiving this mail because: You are watching all bug changes. ___ Koha-bugs mailing list Koha-bugs@lists.koha-community.org https://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs website : http://www.koha-community.org/ git : http://git.koha-community.org/ bugs : http://bugs.koha-community.org/
[Koha-bugs] [Bug 37766] Fix forms that POST without an op in MARC bibliographic frameworks
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=37766 Lucas Gass (lukeg) changed: What|Removed |Added Version(s)|24.11.00|24.11.00,24.05.06 released in|| CC||lu...@bywatersolutions.com Status|Pushed to main |Pushed to stable --- Comment #11 from Lucas Gass (lukeg) --- Backported to 24.05.x for upcoming 24.05.06 -- You are receiving this mail because: You are watching all bug changes. ___ Koha-bugs mailing list Koha-bugs@lists.koha-community.org https://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs website : http://www.koha-community.org/ git : http://git.koha-community.org/ bugs : http://bugs.koha-community.org/
[Koha-bugs] [Bug 37766] Fix forms that POST without an op in MARC bibliographic frameworks
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=37766 --- Comment #10 from Katrin Fischer --- Pushed for 24.11! Well done everyone, thank you! -- You are receiving this mail because: You are watching all bug changes. ___ Koha-bugs mailing list Koha-bugs@lists.koha-community.org https://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs website : http://www.koha-community.org/ git : http://git.koha-community.org/ bugs : http://bugs.koha-community.org/
[Koha-bugs] [Bug 37766] Fix forms that POST without an op in MARC bibliographic frameworks
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=37766 Katrin Fischer changed: What|Removed |Added Status|Passed QA |Pushed to main Version(s)||24.11.00 released in|| -- You are receiving this mail because: You are watching all bug changes. ___ Koha-bugs mailing list Koha-bugs@lists.koha-community.org https://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs website : http://www.koha-community.org/ git : http://git.koha-community.org/ bugs : http://bugs.koha-community.org/
[Koha-bugs] [Bug 37766] Fix forms that POST without an op in MARC bibliographic frameworks
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=37766 --- Comment #9 from Katrin Fischer --- (In reply to Jonathan Druart from comment #8) > I had a special look at this removal when QAing and it is safe. Thanks all! -- You are receiving this mail because: You are watching all bug changes. ___ Koha-bugs mailing list Koha-bugs@lists.koha-community.org https://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs website : http://www.koha-community.org/ git : http://git.koha-community.org/ bugs : http://bugs.koha-community.org/
[Koha-bugs] [Bug 37766] Fix forms that POST without an op in MARC bibliographic frameworks
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=37766 --- Comment #8 from Jonathan Druart --- I had a special look at this removal when QAing and it is safe. -- You are receiving this mail because: You are watching all bug changes. ___ Koha-bugs mailing list Koha-bugs@lists.koha-community.org https://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs website : http://www.koha-community.org/ git : http://git.koha-community.org/ bugs : http://bugs.koha-community.org/
[Koha-bugs] [Bug 37766] Fix forms that POST without an op in MARC bibliographic frameworks
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=37766 --- Comment #7 from Phil Ringnalda --- Only if at some point we either used tabs is View subfields, or had UI to delete subfields in Edit subfields. Currently, tabs are Edit-only, and Delete is View-only. -- You are receiving this mail because: You are watching all bug changes. ___ Koha-bugs mailing list Koha-bugs@lists.koha-community.org https://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs website : http://www.koha-community.org/ git : http://git.koha-community.org/ bugs : http://bugs.koha-community.org/
[Koha-bugs] [Bug 37766] Fix forms that POST without an op in MARC bibliographic frameworks
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=37766 Martin Renvoize changed: What|Removed |Added QA Contact|testo...@bugs.koha-communit |jonathan.dru...@gmail.com |y.org | CC||martin.renvoize@ptfs-europe ||.com -- You are receiving this mail because: You are watching all bug changes. ___ Koha-bugs mailing list Koha-bugs@lists.koha-community.org https://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs website : http://www.koha-community.org/ git : http://git.koha-community.org/ bugs : http://bugs.koha-community.org/
[Koha-bugs] [Bug 37766] Fix forms that POST without an op in MARC bibliographic frameworks
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=37766 --- Comment #6 from Katrin Fischer --- If we are deleting subfields, could this be a remant with the idea to lead you back to the correct open tab? Tabs have been reworked a couple times, so not sure if that would still work. Will have another look here later, fighting with Jenkins a bit. -- You are receiving this mail because: You are watching all bug changes. ___ Koha-bugs mailing list Koha-bugs@lists.koha-community.org https://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs website : http://www.koha-community.org/ git : http://git.koha-community.org/ bugs : http://bugs.koha-community.org/
[Koha-bugs] [Bug 37766] Fix forms that POST without an op in MARC bibliographic frameworks
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=37766 --- Comment #5 from Phil Ringnalda --- Very much intentional: the form above, that does the "Yes, delete" action, needs to tell the script the tag, the subfield, and the framework(In reply to Katrin Fischer from comment #4) > - value="[% mss.tagsubfield | html %]" /> > > Is this removal intended here? Very much intentional: the form above, that does the "Yes, delete" action, needs to tell the script the tag, the subfield, and the framework, but the cancel one only needs to tell it the tag and framework to go back to showing the subfields for that tag. -- You are receiving this mail because: You are watching all bug changes. ___ Koha-bugs mailing list Koha-bugs@lists.koha-community.org https://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs website : http://www.koha-community.org/ git : http://git.koha-community.org/ bugs : http://bugs.koha-community.org/
[Koha-bugs] [Bug 37766] Fix forms that POST without an op in MARC bibliographic frameworks
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=37766 --- Comment #4 from Katrin Fischer --- - Is this removal intended here? -- You are receiving this mail because: You are watching all bug changes. ___ Koha-bugs mailing list Koha-bugs@lists.koha-community.org https://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs website : http://www.koha-community.org/ git : http://git.koha-community.org/ bugs : http://bugs.koha-community.org/
[Koha-bugs] [Bug 37766] Fix forms that POST without an op in MARC bibliographic frameworks
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=37766 Jonathan Druart changed: What|Removed |Added Attachment #170914|0 |1 is obsolete|| --- Comment #3 from Jonathan Druart --- Created attachment 170942 --> https://bugs.koha-community.org/bugzilla3/attachment.cgi?id=170942&action=edit Bug 37766: Fix forms that POST without an op in MARC bibliographic frameworks We intend not to have forms with method="post" without an op variable (so we can check that the op starts with "cud-" as part of the CSRF protection), but because of bug 37728 some were missed. In MARC bibliographic frameworks, that's the tag search form, which should be a GET so the URL includes what you searched for and you can bookmark it or link to the search, and the cancel "No, do not delete" button in the page to confirm deleting a subfield, which should also be a GET to take you back to the page where you were, which was ?tagfield=903&frameworkcode=VR when you clicked Delete. Test plan: 1. No visible change in behavior (only the URL), so start with the patch applied 2. Administration - MARC bibliographic framework - choose one other than Default, since the "&framework=" of Default could be confused with a failure to get the code in there - Actions - MARC structure 3. Type any three digit number higher than 009 (you want something with subfields) in the Search for tag input and hit Enter 4. Verify that your URL has the searchfield and frameworkcode correct and that number or next highest number tag is displayed first 5. Change the In framework select menu to another non-Default framework and click search, and verify that the URL change to that frameworkcode, and that framework is displayed 6. Toggle the Display only used tags/subfields checkbox, search for a different tag, and verify that the state of the checkbox persists as you do more searches 7. On any other listed tag - Actions - View subfields 8. For any displayed subfield click Delete 9. In the confirmation page click No, do not delete 10. Verify that the page you return to has the correct tagfield and frameworkcode for the tag you chose Sponsored-by: Chetco Community Public Library Signed-off-by: Owen Leonard Signed-off-by: Jonathan Druart -- You are receiving this mail because: You are watching all bug changes. ___ Koha-bugs mailing list Koha-bugs@lists.koha-community.org https://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs website : http://www.koha-community.org/ git : http://git.koha-community.org/ bugs : http://bugs.koha-community.org/
[Koha-bugs] [Bug 37766] Fix forms that POST without an op in MARC bibliographic frameworks
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=37766 Jonathan Druart changed: What|Removed |Added Status|Signed Off |Passed QA -- You are receiving this mail because: You are watching all bug changes. ___ Koha-bugs mailing list Koha-bugs@lists.koha-community.org https://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs website : http://www.koha-community.org/ git : http://git.koha-community.org/ bugs : http://bugs.koha-community.org/
[Koha-bugs] [Bug 37766] Fix forms that POST without an op in MARC bibliographic frameworks
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=37766 Owen Leonard changed: What|Removed |Added Attachment #170893|0 |1 is obsolete|| --- Comment #2 from Owen Leonard --- Created attachment 170914 --> https://bugs.koha-community.org/bugzilla3/attachment.cgi?id=170914&action=edit Bug 37766: Fix forms that POST without an op in MARC bibliographic frameworks We intend not to have forms with method="post" without an op variable (so we can check that the op starts with "cud-" as part of the CSRF protection), but because of bug 37728 some were missed. In MARC bibliographic frameworks, that's the tag search form, which should be a GET so the URL includes what you searched for and you can bookmark it or link to the search, and the cancel "No, do not delete" button in the page to confirm deleting a subfield, which should also be a GET to take you back to the page where you were, which was ?tagfield=903&frameworkcode=VR when you clicked Delete. Test plan: 1. No visible change in behavior (only the URL), so start with the patch applied 2. Administration - MARC bibliographic framework - choose one other than Default, since the "&framework=" of Default could be confused with a failure to get the code in there - Actions - MARC structure 3. Type any three digit number higher than 009 (you want something with subfields) in the Search for tag input and hit Enter 4. Verify that your URL has the searchfield and frameworkcode correct and that number or next highest number tag is displayed first 5. Change the In framework select menu to another non-Default framework and click search, and verify that the URL change to that frameworkcode, and that framework is displayed 6. Toggle the Display only used tags/subfields checkbox, search for a different tag, and verify that the state of the checkbox persists as you do more searches 7. On any other listed tag - Actions - View subfields 8. For any displayed subfield click Delete 9. In the confirmation page click No, do not delete 10. Verify that the page you return to has the correct tagfield and frameworkcode for the tag you chose Sponsored-by: Chetco Community Public Library Signed-off-by: Owen Leonard -- You are receiving this mail because: You are watching all bug changes. ___ Koha-bugs mailing list Koha-bugs@lists.koha-community.org https://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs website : http://www.koha-community.org/ git : http://git.koha-community.org/ bugs : http://bugs.koha-community.org/
[Koha-bugs] [Bug 37766] Fix forms that POST without an op in MARC bibliographic frameworks
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=37766 Owen Leonard changed: What|Removed |Added Status|Needs Signoff |Signed Off Patch complexity|--- |Trivial patch -- You are receiving this mail because: You are watching all bug changes. ___ Koha-bugs mailing list Koha-bugs@lists.koha-community.org https://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs website : http://www.koha-community.org/ git : http://git.koha-community.org/ bugs : http://bugs.koha-community.org/
[Koha-bugs] [Bug 37766] Fix forms that POST without an op in MARC bibliographic frameworks
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=37766 --- Comment #1 from Phil Ringnalda --- Created attachment 170893 --> https://bugs.koha-community.org/bugzilla3/attachment.cgi?id=170893&action=edit Bug 37766: Fix forms that POST without an op in MARC bibliographic frameworks We intend not to have forms with method="post" without an op variable (so we can check that the op starts with "cud-" as part of the CSRF protection), but because of bug 37728 some were missed. In MARC bibliographic frameworks, that's the tag search form, which should be a GET so the URL includes what you searched for and you can bookmark it or link to the search, and the cancel "No, do not delete" button in the page to confirm deleting a subfield, which should also be a GET to take you back to the page where you were, which was ?tagfield=903&frameworkcode=VR when you clicked Delete. Test plan: 1. No visible change in behavior (only the URL), so start with the patch applied 2. Administration - MARC bibliographic framework - choose one other than Default, since the "&framework=" of Default could be confused with a failure to get the code in there - Actions - MARC structure 3. Type any three digit number higher than 009 (you want something with subfields) in the Search for tag input and hit Enter 4. Verify that your URL has the searchfield and frameworkcode correct and that number or next highest number tag is displayed first 5. Change the In framework select menu to another non-Default framework and click search, and verify that the URL change to that frameworkcode, and that framework is displayed 6. Toggle the Display only used tags/subfields checkbox, search for a different tag, and verify that the state of the checkbox persists as you do more searches 7. On any other listed tag - Actions - View subfields 8. For any displayed subfield click Delete 9. In the confirmation page click No, do not delete 10. Verify that the page you return to has the correct tagfield and frameworkcode for the tag you chose Sponsored-by: Chetco Community Public Library -- You are receiving this mail because: You are watching all bug changes. ___ Koha-bugs mailing list Koha-bugs@lists.koha-community.org https://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs website : http://www.koha-community.org/ git : http://git.koha-community.org/ bugs : http://bugs.koha-community.org/
[Koha-bugs] [Bug 37766] Fix forms that POST without an op in MARC bibliographic frameworks
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=37766 Phil Ringnalda changed: What|Removed |Added Status|NEW |Needs Signoff -- You are receiving this mail because: You are watching all bug changes. ___ Koha-bugs mailing list Koha-bugs@lists.koha-community.org https://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs website : http://www.koha-community.org/ git : http://git.koha-community.org/ bugs : http://bugs.koha-community.org/
