• joubu's avatar
    Bug 21993: Display a user-friendly message when the CSRF token is wrong · b990b953
    joubu authored
    Instead of dying!
    Test plan:
    Assuming you have a patron with borrowernumber=51 and another one that
    can be deleted with borrowernumber=42
    - authorities-home.pl
     * Delete an authority record
     * hit /cgi-bin/koha/authorities/authorities-home.pl?op=delete
    - basket/sendbasket.pl
     * Send a basket to someone
     * hit /cgi-bin/koha/basket/sendbasket.pl?email_add=1
    - members/apikeys.pl
      * Generate and delete an API key for a patron
      * hit /cgi-bin/koha/members/apikeys.pl?patron_id=51&op=delete
    - members/deletemem.pl
      * Delete a patron
      * hit /cgi-bin/koha/members/deletemem.pl?member=42&op=delete_confirmed
    - members/mancredit.pl
      * Add a manual credit
      * hit /cgi-bin/koha/members/mancredit.pl?borrowernumber=51&add=1
    - members/maninvoice.pl
      * Add a manual invoice
      * hit /cgi-bin/koha/members/maninvoice.pl?borrowernumber=51&add=1
    - members/member-flags.pl
      * Change permissions for a patron
      * hit /cgi-bin/koha/members/member-flags.pl?member=51&newflags=1
    - members/member-password.pl
      * Change the password for a patron (from the staff interface)
      * hit /cgi-bin/koha/members/member-password.pl?member=51&newpassword=aA1
    - members/memberentry.pl
      * Edit some patron's info
      * hit /cgi-bin/koha/members/memberentry.pl?borrowernumber=51&op=save
    - members/paycollect.pl
      * Pay an individual fine
      * hit something like /cgi-bin/koha/members/paycollect.pl?borrowernumber=51&pay_individual=1&accounttype=L&amount=1.00&amountoutstanding=1.00&accountlines_id=157&paid=1
      You may need to edit some values
    - tools/import_borrowers.pl
      * Import some patrons
      * hit /cgi-bin/koha/tools/import_borrowers.pl?uploadborrowers=1
    - tools/picture-upload.pl
      * Upload an image for a patron
      * You will need to edit the html content
      hit Home › Tools › Upload patron images
      then locate the csrf_token input and modify its value
    Note for QA:
    - Opac is not done as blocking_errors.inc does not exist for this
    - ill/ill-requests.pl
    I did not manage to replace this occurrence
    Signed-off-by: default avatarOwen Leonard <oleonard@myacpl.org>
    Signed-off-by: default avatarTomas Cohen Arazi <tomascohen@theke.io>
    Signed-off-by: Wm. Nick Clemens's avatarNick Clemens <nick@bywatersolutions.com>
Last commit
Last update
basket.pl Loading commit data...
downloadcart.pl Loading commit data...
sendbasket.pl Loading commit data...