<form action="/cgi-bin/koha/members/mancredit.pl" method="post" id="mancredit">
<input type="hidden" name="borrowernumber" id="borrowernumber" value="[% patron.borrowernumber %]" />
+ <input type="hidden" name="csrf_token" value="[% csrf_token %]" />
<fieldset class="rows">
<legend>Manual credit</legend><ol>
use Koha::Patrons;
use Koha::Patron::Categories;
+use Koha::Token;
my $input=new CGI;
my $flagsrequired = { borrowers => 'edit_borrowers', updatecharges => 1 };
if ($add){
if ( checkauth( $input, 0, $flagsrequired, 'intranet' ) ) {
+
+ die "Wrong CSRF token"
+ unless Koha::Token->new->check_csrf( {
+ session_id => scalar $input->cookie('CGISESSID'),
+ token => scalar $input->param('csrf_token'),
+ });
+
# Note: If the logged in user is not allowed to see this patron an invoice can be forced
# Here we are trusting librarians not to hack the system
my $barcode = $input->param('barcode');
);
}
- $template->param( patron => $patron );
-
$template->param(
- finesview => 1,
- );
+ patron => $patron,
+ finesview => 1,
+ csrf_token => Koha::Token->new->generate_csrf(
+ { session_id => scalar $input->cookie('CGISESSID') }
+ ),
+ );
output_html_with_http_headers $input, $cookie, $template->output;
}