Bug 18019: [QA Follow-up] Also catch the delete from authorities detail

Good catch from Jonathan. See comment11.
Authorities detail should pass a CSRF token to authorities-home when
deleting a record without linked biblios.

Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl>

Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
Passing the token with GET is not a good way to do, but nothing quick to
replace that.

Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>

diff --git a/authorities/detail.pl b/authorities/detail.pl
index 1ba280d..38af541 100755 (executable)
--- a/authorities/detail.pl
+++ b/authorities/detail.pl
@@ -50,6 +50,7 @@ use C4::Koha;
 use Koha::Authorities;
 
 use Koha::Authority::Types;
+use Koha::Token;
 
 our ($tagslib);
 
@@ -219,6 +220,7 @@ $template->param(
     authtypetext    => $authority_types->find($authtypecode)->authtypetext,
     authtypecode    => $authtypecode,
     authority_types => $authority_types,
+    csrf_token      => Koha::Token->new->generate_csrf({ session_id => scalar $query->cookie('CGISESSID') }),
 );
 
 $template->{VARS}->{marcflavour} = C4::Context->preference("marcflavour");

diff --git a/koha-tmpl/intranet-tmpl/prog/en/modules/authorities/detail.tt b/koha-tmpl/intranet-tmpl/prog/en/modules/authorities/detail.tt
index 295c325..e150232 100644 (file)
--- a/koha-tmpl/intranet-tmpl/prog/en/modules/authorities/detail.tt
+++ b/koha-tmpl/intranet-tmpl/prog/en/modules/authorities/detail.tt
@@ -34,7 +34,7 @@
 function confirm_deletion() {
     var is_confirmed = confirm(_("Are you sure you want to delete this authority?"));
     if (is_confirmed) {
-        window.location="authorities-home.pl?op=delete&authid=[% authid %]";
+        window.location="authorities-home.pl?op=delete&authid=[% authid %]&csrf_token=[% csrf_token %]";
     }
 }
 function Dopop(link) {