From 9a5b83b46dcf8bbcdc8d61d437191144a4bcbc6c Mon Sep 17 00:00:00 2001
From: Dan Scott <dscott@laurentian.ca>
Date: Sat, 4 Aug 2012 10:26:25 -0400
Subject: [PATCH] TPAC locale picker: use POST instead of GET

Users could (deliberately or not) change another's language
preferences by sharing links with the "set_eg_locale" GET param given
the locale picker's current behaviour. By switching to a POST param, we
prevent this result from accidentally occurring.

Signed-off-by: Dan Scott <dscott@laurentian.ca>
Signed-off-by: Art Rhyno <art632000@yahoo.ca>
---
 .../src/templates/opac/parts/locale_picker.tt2     |    2 +-
 1 files changed, 1 insertions(+), 1 deletions(-)

diff --git a/Open-ILS/src/templates/opac/parts/locale_picker.tt2 b/Open-ILS/src/templates/opac/parts/locale_picker.tt2
index c3943a6..c81f1f1 100644
--- a/Open-ILS/src/templates/opac/parts/locale_picker.tt2
+++ b/Open-ILS/src/templates/opac/parts/locale_picker.tt2
@@ -1,7 +1,7 @@
 [%- IF ctx.locales.keys.size > 1;
     set_locale = CGI.param('set_eg_locale') || CGI.cookie('eg_locale');
 %]
-<form id="locale_picker_form" action="[% mkurl() %]">
+<form id="locale_picker_form" action="[% mkurl() %]" method="post">
     <label for="locale_picker">[% l("Language:") %]</label>
     [%- FOREACH param IN CGI.params(); -%]
         [%- NEXT IF param.key == 'set_eg_locale'; -%]
-- 
1.7.2.5