From: Dan Scott <dscott@laurentian.ca>
Date: Sat, 4 Aug 2012 14:26:25 +0000 (-0400)
Subject: TPAC locale picker: use POST instead of GET
X-Git-Url: https://old-git.evergreen-ils.org/?a=commitdiff_plain;h=787fc31935b60c5e35509f7a395be1e9815979f8;p=evergreen%2Fpines.git

TPAC locale picker: use POST instead of GET

Users could (deliberately or not) change another's language
preferences by sharing links with the "set_eg_locale" GET param given
the locale picker's current behaviour. By switching to a POST param, we
prevent this result from accidentally occurring.

Signed-off-by: Dan Scott <dscott@laurentian.ca>
Signed-off-by: Art Rhyno <art632000@yahoo.ca>
---

diff --git a/Open-ILS/src/templates/opac/parts/locale_picker.tt2 b/Open-ILS/src/templates/opac/parts/locale_picker.tt2
index c3943a61de..c81f1f134d 100644
--- a/Open-ILS/src/templates/opac/parts/locale_picker.tt2
+++ b/Open-ILS/src/templates/opac/parts/locale_picker.tt2
@@ -1,7 +1,7 @@
 [%- IF ctx.locales.keys.size > 1;
     set_locale = CGI.param('set_eg_locale') || CGI.cookie('eg_locale');
 %]
-<form id="locale_picker_form" action="[% mkurl() %]">
+<form id="locale_picker_form" action="[% mkurl() %]" method="post">
     <label for="locale_picker">[% l("Language:") %]</label>
     [%- FOREACH param IN CGI.params(); -%]
         [%- NEXT IF param.key == 'set_eg_locale'; -%]