Skip to content

Commit

Permalink
Add csrf-token to post forms
Browse files Browse the repository at this point in the history
  • Loading branch information
@ricofreak
ricofreak committed Dec 12, 2024
1 parent 6b82998 commit 0342f7d
Show file tree
Hide file tree
Showing 4 changed files with 50 additions and 0 deletions.
6 changes: 6 additions & 0 deletions Koha/Plugin/Com/MarywoodUniversity/RoomReservations/bookas.tt
View file
Original file line number Diff line number Diff line change
Expand Up @@ -62,6 +62,7 @@
}
</script>
<form name="availabilitySearchForm" method="post" action="#" onsubmit="return validateAvailabilitySearch()">
[% INCLUDE 'csrf-token.inc' %]
<input type="hidden" name="class" value="[% CLASS %]" />
<input type="hidden" name="method" value="[% METHOD %]" />
<input type="hidden" name="borrowernumber" value="[% borrowernumber %]" />
Expand Down Expand Up @@ -257,6 +258,7 @@
}
</script>
<form method="post" action="#" onsubmit="return validateAvailabilitySearchResults()">
[% INCLUDE 'csrf-token.inc' %]
<input type="hidden" name="class" value="[% CLASS %]" />
<input type="hidden" name="method" value="[% METHOD %]" />
<input type="hidden" name="borrowernumber" value="[% borrowernumber %]" />
Expand Down Expand Up @@ -297,13 +299,15 @@
[% ELSE %]
<h2 class="no-rooms-match">[% 'No rooms match your criteria!' | gettext %]</h2>
<form method="post" action="#">
[% INCLUDE 'csrf-token.inc' %]
<input type="hidden" name="op" value="" />

<button>[% 'Click here to try another search' | gettext %]</button>
[% END # IF are_rooms_available == 1 %]
</form>
[% ELSIF op == 'room-selection-confirmation' %]
<form method="post" action="#">
[% INCLUDE 'csrf-token.inc' %]
<input type="hidden" name="class" value="[% CLASS %]" />
<input type="hidden" name="method" value="[% METHOD %]" />
<input type="hidden" name="borrowernumber" value="[% borrowernumber %]" />
Expand Down Expand Up @@ -348,6 +352,7 @@
</h2>

<form method="post" action="#">
[% INCLUDE 'csrf-token.inc' %]
<input type="hidden" name="class" value="[% CLASS %]" />
<input type="hidden" name="method" value="[% METHOD %]" />
<input type="hidden" name="borrowernumber" value="[% borrowernumber %]" />
Expand All @@ -360,6 +365,7 @@
<h3>[% 'An email confirmation has been sent to' | gettext %] [% patron_email %]!</h3>
[% END %]
<form method="post" action="#">
[% INCLUDE 'csrf-token.inc' %]
<input type="hidden" name="class" value="[% CLASS %]" />
<input type="hidden" name="method" value="[% METHOD %]" />
<input type="hidden" name="borrowernumber" value="[% borrowernumber %]" />
Expand Down
31 changes: 31 additions & 0 deletions Koha/Plugin/Com/MarywoodUniversity/RoomReservations/configure.tt
View file
Original file line number Diff line number Diff line change
Expand Up @@ -82,6 +82,7 @@

[% IF op == '' %]
<form name="config_actions" method="post" action="#" onsubmit="return validateConfigActions()">
[% INCLUDE 'csrf-token.inc' %]
<input type="hidden" name="class" value="[% CLASS %]" />
<input type="hidden" name="method" value="[% METHOD %]" />
<input type="hidden" name="op" value="action-selected" />
Expand Down Expand Up @@ -120,6 +121,7 @@
};
</script>
<form method="post" action="#">
[% INCLUDE 'csrf-token.inc' %]
<input type="hidden" name="class" value="[% CLASS %]" />
<input type="hidden" name="method" value="[% METHOD %]" />
<input type="hidden" name="op" value="[% action %]" />
Expand Down Expand Up @@ -152,6 +154,7 @@
}
</script>
<form method="post" action="#">
[% INCLUDE 'csrf-token.inc' %]
<input type="hidden" name="class" value="[% CLASS %]" />
<input type="hidden" name="method" value="[% METHOD %]" />

Expand All @@ -160,6 +163,7 @@
<br />
<br />
<form name="displayRooms" method="post" action="#" onsubmit="return validateDisplayRooms()">
[% INCLUDE 'csrf-token.inc' %]
<input type="hidden" name="class" value="[% CLASS %]" />
<input type="hidden" name="method" value="[% METHOD %]" />
<input type="hidden" name="op" value="display-rooms-detail" />
Expand Down Expand Up @@ -198,6 +202,7 @@

[% IF op == 'display-rooms-detail' %]
<form method="post" action="#">
[% INCLUDE 'csrf-token.inc' %]
<input type="hidden" name="class" value="[% CLASS %]" />
<input type="hidden" name="method" value="[% METHOD %]" />

Expand All @@ -206,6 +211,7 @@
<br />
<br />
<form method="post" action="#">
[% INCLUDE 'csrf-token.inc' %]
<input type="hidden" name="class" value="[% CLASS %]" />
<input type="hidden" name="method" value="[% METHOD %]" />
<input type="hidden" name="op" value="display-rooms" />
Expand Down Expand Up @@ -243,6 +249,7 @@

[% IF op == 'max-future-date' %]
<form method="post" action="#">
[% INCLUDE 'csrf-token.inc' %]
<input type="hidden" name="class" value="[% CLASS %]" />
<input type="hidden" name="method" value="[% METHOD %]" />

Expand All @@ -268,6 +275,7 @@
}
</script>
<form name="maxFutureDateForm" method="post" action="#" onsubmit="return validateMaxFutureDate();">
[% INCLUDE 'csrf-token.inc' %]
<input type="hidden" name="class" value="[% CLASS %]" />
<input type="hidden" name="method" value="[% METHOD %]" />
<input type="hidden" name="op" value="max-future-date" />
Expand Down Expand Up @@ -306,6 +314,7 @@

[% IF op == 'max-time' %]
<form method="post" action="#">
[% INCLUDE 'csrf-token.inc' %]
<input type="hidden" name="class" value="[% CLASS %]" />
<input type="hidden" name="method" value="[% METHOD %]" />

Expand All @@ -326,6 +335,7 @@
}
</script>
<form name="maxTimeForm" method="post" action="#" onsubmit="return validateMaxTime();">
[% INCLUDE 'csrf-token.inc' %]
<input type="hidden" name="class" value="[% CLASS %]" />
<input type="hidden" name="method" value="[% METHOD %]" />
<input type="hidden" name="op" value="max-time" />
Expand Down Expand Up @@ -400,6 +410,7 @@

[% IF op == 'restrict-daily-reservations-per-patron' %]
<form method="post" action="#">
[% INCLUDE 'csrf-token.inc' %]
<input type="hidden" name="class" value="[% CLASS %]" />
<input type="hidden" name="method" value="[% METHOD %]" />

Expand All @@ -420,6 +431,7 @@
}
</script>
<form name="restrictDailyReservationsForm" method="post" action="#" onsubmit="return validateLimitRestriction();">
[% INCLUDE 'csrf-token.inc' %]
<input type="hidden" name="class" value="[% CLASS %]" />
<input type="hidden" name="method" value="[% METHOD %]" />
<input type="hidden" name="op" value="restrict-daily-reservations-per-patron" />
Expand Down Expand Up @@ -483,6 +495,7 @@

[% IF op == 'restrict-categories' %]
<form method="post" action="#">
[% INCLUDE 'csrf-token.inc' %]
<input type="hidden" name="class" value="[% CLASS %]" />
<input type="hidden" name="method" value="[% METHOD %]" />

Expand All @@ -503,6 +516,7 @@
}
</script>
<form name="restrictCategoriesForm" method="post" action="#" onsubmit="return validateRestrictCategories();">
[% INCLUDE 'csrf-token.inc' %]
<input type="hidden" name="class" value="[% CLASS %]" />
<input type="hidden" name="method" value="[% METHOD %]" />
<input type="hidden" name="op" value="restrict-categories" />
Expand Down Expand Up @@ -596,6 +610,7 @@
}
</script>
<form method="post" action="#">
[% INCLUDE 'csrf-token.inc' %]
<input type="hidden" name="class" value="[% CLASS %]" />
<input type="hidden" name="method" value="[% METHOD %]" />

Expand All @@ -621,6 +636,7 @@

<!-- TODO: Display table of rooms already added -->
<form name="addRoomForm" method="post" action="#" onsubmit="return validateAddRooms()">
[% INCLUDE 'csrf-token.inc' %]
<input type="hidden" name="class" value="[% CLASS %]" />
<input type="hidden" name="method" value="[% METHOD %]" />
<input type="hidden" name="op" value="add-rooms" />
Expand Down Expand Up @@ -681,6 +697,7 @@
}
</script>
<form method="post" action="#">
[% INCLUDE 'csrf-token.inc' %]
<input type="hidden" name="class" value="[% CLASS %]" />
<input type="hidden" name="method" value="[% METHOD %]" />

Expand All @@ -689,6 +706,7 @@
<br />
<br />
<form name="editRoomsForm" method="post" action="#" onsubmit="return validateEditRooms()">
[% INCLUDE 'csrf-token.inc' %]
<input type="hidden" name="class" value="[% CLASS %]" />
<input type="hidden" name="method" value="[% METHOD %]" />
<input type="hidden" name="op" value="edit-rooms-selection" />
Expand Down Expand Up @@ -736,6 +754,7 @@
};
</script>
<form method="post" action="#">
[% INCLUDE 'csrf-token.inc' %]
<input type="hidden" name="class" value="[% CLASS %]" />
<input type="hidden" name="method" value="[% METHOD %]" />
<input type="hidden" name="op" value="[% edit_action %]" />
Expand Down Expand Up @@ -766,6 +785,7 @@
}
</script>
<form method="post" action="#">
[% INCLUDE 'csrf-token.inc' %]
<input type="hidden" name="class" value="[% CLASS %]" />
<input type="hidden" name="method" value="[% METHOD %]" />

Expand All @@ -774,6 +794,7 @@
<br />
<br />
<form method="post" action="#">
[% INCLUDE 'csrf-token.inc' %]
<input type="hidden" name="class" value="[% CLASS %]" />
<input type="hidden" name="method" value="[% METHOD %]" />
<input type="hidden" name="op" value="edit-rooms" />
Expand All @@ -783,6 +804,7 @@
<br />
<br />
<form name="editRoomDetails" method="post" action="#" onsubmit="return validateEditRoomsRoom()">
[% INCLUDE 'csrf-token.inc' %]
<input type="hidden" name="class" value="[% CLASS %]" />
<input type="hidden" name="method" value="[% METHOD %]" />
<input type="hidden" name="op" value="edit-rooms" />
Expand Down Expand Up @@ -832,6 +854,7 @@
}
</script>
<form method="post" action="#">
[% INCLUDE 'csrf-token.inc' %]
<input type="hidden" name="class" value="[% CLASS %]" />
<input type="hidden" name="method" value="[% METHOD %]" />

Expand All @@ -840,6 +863,7 @@
<br />
<br />
<form method="post" action="#">
[% INCLUDE 'csrf-token.inc' %]
<input type="hidden" name="class" value="[% CLASS %]" />
<input type="hidden" name="method" value="[% METHOD %]" />
<input type="hidden" name="op" value="edit-rooms" />
Expand All @@ -849,6 +873,7 @@
<br />
<br />
<form name="editRoomEquipment" method="post" action="#" onsubmit="return validateEditRoomsEquipment()">
[% INCLUDE 'csrf-token.inc' %]
<input type="hidden" name="class" value="[% CLASS %]" />
<input type="hidden" name="method" value="[% METHOD %]" />
<input type="hidden" name="op" value="edit-rooms" />
Expand Down Expand Up @@ -919,6 +944,7 @@
<br />
<br />
<form method="post" action="#">
[% INCLUDE 'csrf-token.inc' %]
<input type="hidden" name="class" value="[% CLASS %]" />
<input type="hidden" name="method" value="[% METHOD %]" />

Expand All @@ -927,6 +953,7 @@
<br />
<br />
<form method="post" action="#" onsubmit="return deleteRoomConfirmation()">
[% INCLUDE 'csrf-token.inc' %]
[% IF rooms_available_to_delete == 1 %]
<input type="hidden" name="class" value="[% CLASS %]" />
<input type="hidden" name="method" value="[% METHOD %]" />
Expand Down Expand Up @@ -973,6 +1000,7 @@
}
</script>
<form method="post" action="#">
[% INCLUDE 'csrf-token.inc' %]
<input type="hidden" name="class" value="[% CLASS %]" />
<input type="hidden" name="method" value="[% METHOD %]" />

Expand Down Expand Up @@ -1002,6 +1030,7 @@
<br />

<form name="addEquipment" method="post" action="#" onsubmit="return validateAddEquipment()">
[% INCLUDE 'csrf-token.inc' %]
<input type="hidden" name="class" value="[% CLASS %]" />
<input type="hidden" name="method" value="[% METHOD %]" />
<input type="hidden" name="op" value="add-equipment" />
Expand Down Expand Up @@ -1054,6 +1083,7 @@
<br />
<br />
<form method="post" action="#">
[% INCLUDE 'csrf-token.inc' %]
<input type="hidden" name="class" value="[% CLASS %]" />
<input type="hidden" name="method" value="[% METHOD %]" />

Expand All @@ -1062,6 +1092,7 @@
<br />
<br />
<form method="post" action="#" onsubmit="return deleteEquipmentConfirmation()">
[% INCLUDE 'csrf-token.inc' %]
<input type="hidden" name="class" value="[% CLASS %]" />
<input type="hidden" name="method" value="[% METHOD %]" />
<input type="hidden" name="op" value="delete-equipment" />
Expand Down
7 changes: 7 additions & 0 deletions Koha/Plugin/Com/MarywoodUniversity/RoomReservations/opac/calendar.tt
View file
Original file line number Diff line number Diff line change
Expand Up @@ -473,6 +473,7 @@
<tr>
<td style="text-align:left" colspan="10">
<form method="post" name="book-room" action="#">
[% INCLUDE 'csrf-token.inc' %]
<input type="hidden" name="op" value="availability-search" />
<input type="submit" name="book-room-btn" value="[% 'Book a Room' | gettext %]" />
</form>
Expand Down Expand Up @@ -588,6 +589,7 @@
<div class="span12">

<form name="availabilitySearchForm" method="post" action="#" onsubmit="return (validateAvailabilitySearch() && checkExistingBookings())">
[% INCLUDE 'csrf-token.inc' %]
<input type="hidden" name="max_days" id="max_days" value="[% max_days %]" />
<input type="hidden" name="max_time" id="max_time" value="[% max_time %]" />
<table align="center">
Expand Down Expand Up @@ -796,6 +798,7 @@
<div class="row-fluid">
<div class="span12">
<form method="post" action="#" onsubmit="return validateAvailabilitySearchResults()">
[% INCLUDE 'csrf-token.inc' %]
<input type="hidden" name="start-date" value="[% start_date %]" />
[% IF are_rooms_available == 1 %]
<table border="2">
Expand Down Expand Up @@ -834,6 +837,7 @@
[% ELSE %]
<h2 class="no-rooms-match">[% 'No rooms match your criteria!' | gettext %]</h2>
<form method="post" action="#">
[% INCLUDE 'csrf-token.inc' %]
<input type="hidden" name="op" value="availability-search" />

<button>[% 'Click here to try another search' | gettext %]</button>
Expand Down Expand Up @@ -867,6 +871,7 @@
<div class="span12">

<form name="confirmationForm" id="confirmationForm" method="post" action="#" onsubmit="return validateConfirmationForm();">
[% INCLUDE 'csrf-token.inc' %]
<fieldset style="float:left;">
<legend>[% 'Confirmation' | gettext %]</legend>
<p>[% 'Name:' | gettext %] <input type="text" size="36" value="[% current_user %]" readonly="true" /></p>
Expand Down Expand Up @@ -910,6 +915,7 @@
</h2>

<form method="post" action="#">
[% INCLUDE 'csrf-token.inc' %]

<button>[% 'Click here to search again' | gettext %]</button>
</form>
Expand All @@ -920,6 +926,7 @@
<h3>[% 'An email confirmation has been sent to' | gettext %] [% patron_email %]!</h3>
[% END %]
<form method="post" action="#">
[% INCLUDE 'csrf-token.inc' %]

<button>[% 'Back to calendar' | gettext %]</button>
</form>
Expand Down
6 changes: 6 additions & 0 deletions Koha/Plugin/Com/MarywoodUniversity/RoomReservations/tool.tt
View file
Original file line number Diff line number Diff line change
Expand Up @@ -53,6 +53,7 @@
}
</script>
<form name="tool_actions" method="post" action="#" onsubmit="return validateAction()">
[% INCLUDE 'csrf-token.inc' %]
<input type="hidden" name="class" value="[% CLASS %]" />
<input type="hidden" name="method" value="[% METHOD %]" />
<input type="hidden" name="op" value="action-selected" />
Expand Down Expand Up @@ -83,6 +84,7 @@
};
</script>
<form method="post" action="#">
[% INCLUDE 'csrf-token.inc' %]
<input type="hidden" name="class" value="[% CLASS %]" />
<input type="hidden" name="method" value="[% METHOD %]" />
<input type="hidden" name="op" value="[% action %]" />
Expand Down Expand Up @@ -121,6 +123,7 @@
</script>
<!-- TODO: add JS validation to check only one action item is selected - if (count > 1) -->
<form name="manageBookingsForm" method="post" action="#" onsubmit="return validateBookingAction()">
[% INCLUDE 'csrf-token.inc' %]
<input type="hidden" name="class" value="[% CLASS %]" />
<input type="hidden" name="method" value="[% METHOD %]" />
<input type="hidden" name="op" value="manage-reservations" />
Expand Down Expand Up @@ -210,6 +213,7 @@
}
</script>
<form name="manageBlackoutsForm" action="#" method="post" onsubmit="return validateManageBlackouts()">
[% INCLUDE 'csrf-token.inc' %]
<input type="hidden" name="class" value="[% CLASS %]" />
<input type="hidden" name="method" value="[% METHOD %]" />
<input type="hidden" name="op" value="manage-blackouts" />
Expand Down Expand Up @@ -353,6 +357,7 @@
</script>
<div id="full-blackout">
<form action="#" name="fullBlackoutForm" method="post" onsubmit="return validateFullBlackout();">
[% INCLUDE 'csrf-token.inc' %]
<input type="hidden" name="class" value="[% CLASS %]" />
<input type="hidden" name="method" value="[% METHOD %]" />
<input type="hidden" name="op" value="manage-blackouts" />
Expand Down Expand Up @@ -449,6 +454,7 @@
</script>
<div id="partial-blackout">
<form action="#" name="partialBlackoutForm" method="post" onsubmit="return validatePartialBlackout();">
[% INCLUDE 'csrf-token.inc' %]
<input type="hidden" name="class" value="[% CLASS %]" />
<input type="hidden" name="method" value="[% METHOD %]" />
<input type="hidden" name="op" value="manage-blackouts" />
Expand Down

0 comments on commit 0342f7d

Please sign in to comment.