Patron self-registration form ignores required fields if they are deleted
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
Evergreen |
Confirmed
|
Undecided
|
Unassigned |
Bug Description
Evergreen Version: 3.3.4
openSRF version: 3.2.0
PGsql version: 9.5
Linux Distro: Ubuntu 16.04
A client alerted us that several patrons have registered without filling out the required "date of birth" field. After testing, we found the following exploit within the patron registration form:
When registering for a new card, the patron can delete inputs from the form within their browser to bypass required fields.
steps to reproduce:
1. open self registration form with "request a library card" link.
2. Enter desired information.
3. Open the form in the browser's inspector and remove any number of "required" rows with the red asterisk.
4. Submit the form successfully. Any required fields that were deleted are ignored and the red error messages expected do not appear.
When looking in the "Pending patron" views, the required fields are empty and must be entered manually by the client to complete registration.
Inside of src/perlmods/