TPAC locale picker: use POST instead of GET

Users could (deliberately or not) change another's language
preferences by sharing links with the "set_eg_locale" GET param given
the locale picker's current behaviour. By switching to a POST param, we
prevent this result from accidentally occurring.

Signed-off-by: Dan Scott <dscott@laurentian.ca>
Signed-off-by: Art Rhyno <art632000@yahoo.ca>

diff --git a/Open-ILS/src/templates/opac/parts/locale_picker.tt2 b/Open-ILS/src/templates/opac/parts/locale_picker.tt2
index c3943a6..c81f1f1 100644 (file)
--- a/Open-ILS/src/templates/opac/parts/locale_picker.tt2
+++ b/Open-ILS/src/templates/opac/parts/locale_picker.tt2
@@ -1,7 +1,7 @@
 [%- IF ctx.locales.keys.size > 1;
     set_locale = CGI.param('set_eg_locale') || CGI.cookie('eg_locale');
 %]
-<form id="locale_picker_form" action="[% mkurl() %]">
+<form id="locale_picker_form" action="[% mkurl() %]" method="post">
     <label for="locale_picker">[% l("Language:") %]</label>
     [%- FOREACH param IN CGI.params(); -%]
         [%- NEXT IF param.key == 'set_eg_locale'; -%]