<form action="/cgi-bin/koha/members/mancredit.pl" method="post" id="mancredit">
<input type="hidden" name="borrowernumber" id="borrowernumber" value="[% borrowernumber %]" />
+ <input type="hidden" name="csrf_token" value="[% csrf_token %]" />
<fieldset class="rows">
<legend>Manual credit</legend><ol>
use Koha::Patron::Images;
use Koha::Patron::Categories;
+use Koha::Token;
my $input=new CGI;
my $flagsrequired = { borrowers => 1, updatecharges => 1 };
if ($add){
if ( checkauth( $input, 0, $flagsrequired, 'intranet' ) ) {
+
+ die "Wrong CSRF token"
+ unless Koha::Token->new->check_csrf( {
+ session_id => $input->cookie('CGISESSID'),
+ token => scalar $input->param('csrf_token'),
+ });
+
+ # Note: If the logged in user is not allowed to see this patron an invoice can be forced
+ # Here we are trusting librarians not to hack the system
my $barcode = $input->param('barcode');
my $itemnum;
if ($barcode) {
borrowernumber => $borrowernumber,
categoryname => $data->{'description'},
is_child => ($data->{'category_type'} eq 'C'),
+ csrf_token => Koha::Token->new->generate_csrf(
+ { session_id => scalar $input->cookie('CGISESSID') }
+ ),
);
output_html_with_http_headers $input, $cookie, $template->output;
}