[% IF ( pay_individual ) %]
<form name="payindivfine" id="payindivfine" onsubmit="return validatePayment(this);" method="post" action="/cgi-bin/koha/members/paycollect.pl">
+ <input type="hidden" name="csrf_token" value="[% csrf_token %]" />
<input type="hidden" name="borrowernumber" id="borrowernumber" value="[% borrower.borrowernumber %]" />
<input type="hidden" name="pay_individual" id="pay_individual" value="[% pay_individual %]" />
<input type="hidden" name="itemnumber" id="itemnumber" value="[% itemnumber %]" />
</form>
[% ELSIF ( writeoff_individual ) %]
<form name="woindivfine" id="woindivfine" action="/cgi-bin/koha/members/pay.pl" method="post" >
+ <input type="hidden" name="csrf_token" value="[% csrf_token %]" />
<fieldset class="rows">
<legend>Write off an individual fine</legend>
<input type="hidden" name="borrowernumber" id="borrowernumber" value="[% borrower.borrowernumber %]" />
[% ELSE %]
<form name="payfine" id="payfine" onsubmit="return validatePayment(this);" method="post" action="/cgi-bin/koha/members/paycollect.pl">
+ <input type="hidden" name="csrf_token" value="[% csrf_token %]" />
<input type="hidden" name="borrowernumber" id="borrowernumber" value="[% borrower.borrowernumber %]" />
<input type="hidden" name="selected_accts" id="selected_accts" value="[% selected_accts %]" />
<input type="hidden" name="total" id="total" value="[% total %]" />
use C4::Koha;
use Koha::Patron::Images;
use Koha::Account;
+use Koha::Token;
use Koha::Patron::Categories;
total_due => $total_due
);
} else {
+ die "Wrong CSRF token"
+ unless Koha::Token->new->check_csrf( {
+ session_id => $input->cookie('CGISESSID'),
+ token => scalar $input->param('csrf_token'),
+ });
+
if ($individual) {
if ( $total_paid == $total_due ) {
makepayment( $accountlines_id, $borrowernumber, $accountno, $total_paid, $user,
total => $total_due,
RoutingSerials => C4::Context->preference('RoutingSerials'),
ExtendedPatronAttributes => C4::Context->preference('ExtendedPatronAttributes'),
+
+ csrf_token => Koha::Token->new->generate_csrf({ session_id => scalar $input->cookie('CGISESSID') }),
);
output_html_with_http_headers $input, $cookie, $template->output;