Good catch from Jonathan. See comment11.
Authorities detail should pass a CSRF token to authorities-home when
deleting a record without linked biblios.
Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl>
Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
Passing the token with GET is not a good way to do, but nothing quick to
replace that.
Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>
use Koha::Authorities;
use Koha::Authority::Types;
+use Koha::Token;
our ($tagslib);
authtypetext => $authority_types->find($authtypecode)->authtypetext,
authtypecode => $authtypecode,
authority_types => $authority_types,
+ csrf_token => Koha::Token->new->generate_csrf({ session_id => scalar $query->cookie('CGISESSID') }),
);
$template->{VARS}->{marcflavour} = C4::Context->preference("marcflavour");
function confirm_deletion() {
var is_confirmed = confirm(_("Are you sure you want to delete this authority?"));
if (is_confirmed) {
- window.location="authorities-home.pl?op=delete&authid=[% authid %]";
+ window.location="authorities-home.pl?op=delete&authid=[% authid %]&csrf_token=[% csrf_token %]";
}
}
function Dopop(link) {