-use C4::Branch;
-
-my $input=new CGI;
-
-my $borrowernumber=$input->param('borrowernumber');
-
-
-# get borrower details
-my $data=GetMember('borrowernumber'=>$borrowernumber);
-my $add=$input->param('add');
-if ($add){
- if(checkauth($input)) {
- # print $input->header;
- my $barcode=$input->param('barcode');
- my $itemnum = GetItemnumberFromBarcode($barcode) if $barcode;
- my $desc=$input->param('desc');
- my $amount=$input->param('amount');
- my $type=$input->param('type');
- my $note = $input->param('note');
- my $error = manualinvoice( $borrowernumber, $itemnum, $desc, $type, $amount, $note );
- if ($error) {
- my ( $template, $loggedinuser, $cookie ) = get_template_and_user(
- { template_name => "members/maninvoice.tmpl",
- query => $input,
- type => "intranet",
- authnotrequired => 0,
- flagsrequired => { borrowers => 1 },
- debug => 1,
+use Koha::Token;
+
+use Koha::Patrons;
+use Koha::Items;
+use Koha::Old::Items;
+use Koha::Checkouts;
+use Koha::Old::Checkouts;
+
+use Koha::Patron::Categories;
+use Koha::Account::DebitTypes;
+
+my $input = new CGI;
+my ( $template, $loggedinuser, $cookie ) = get_template_and_user(
+ {
+ template_name => "members/maninvoice.tt",
+ query => $input,
+ type => "intranet",
+ flagsrequired => {
+ borrowers => 'edit_borrowers',
+ updatecharges => 'remaining_permissions'
+ }
+ }
+);
+
+my $borrowernumber = $input->param('borrowernumber');
+my $patron = Koha::Patrons->find($borrowernumber);
+unless ($patron) {
+ print $input->redirect(
+ "/cgi-bin/koha/circ/circulation.pl?borrowernumber=$borrowernumber");
+ exit;
+}
+
+my $logged_in_user = Koha::Patrons->find($loggedinuser);
+output_and_exit_if_error(
+ $input, $cookie,
+ $template,
+ {
+ module => 'members',
+ logged_in_user => $logged_in_user,
+ current_patron => $patron
+ }
+);
+
+my $library_id = C4::Context->userenv->{'branch'};
+my $desc = $input->param('desc');
+my $amount = $input->param('amount');
+my $note = $input->param('note');
+my $debit_type = $input->param('type');
+my $barcode = $input->param('barcode');
+$template->param(
+ desc => $desc,
+ amount => $amount,
+ note => $note,
+ type => $debit_type,
+ barcode => $barcode
+);
+
+my $add = $input->param('add');
+if ($add) {
+ output_and_exit( $input, $cookie, $template, 'wrong_csrf_token' )
+ unless Koha::Token->new->check_csrf(
+ {
+ session_id => scalar $input->cookie('CGISESSID'),
+ token => scalar $input->param('csrf_token'),
+ }
+ );
+
+ # Note: If the logged in user is not allowed to see this patron an invoice can be forced
+ # Here we are trusting librarians not to hack the system
+ my $desc = $input->param('desc');
+ my $amount = $input->param('amount');
+ my $note = $input->param('note');
+ my $debit_type = $input->param('type');
+
+ # If barcode is passed, attempt to find the associated item
+ my $failed;
+ my $item_id;
+ my $olditem; # FIXME: When items and deleted_items are merged, we can remove this
+ my $issue_id;
+ if ($barcode) {
+ my $item = Koha::Items->find( { barcode => $barcode } );
+ if ($item) {
+ $item_id = $item->itemnumber;
+ }
+ else {
+ $item = Koha::Old::Items->search( { barcode => $barcode },
+ { order_by => { -desc => 'timestamp' }, rows => 1 } );
+ if ($item->count) {
+ $item_id = $item->next->itemnumber;
+ $olditem = 1;
+ }
+ else {
+ $template->param( error => 'itemnumber' );
+ $failed = 1;
+ }
+ }
+
+ if ( ( $debit_type eq 'LOST' ) && $item_id ) {
+ my $checkouts = Koha::Checkouts->search(
+ {
+ itemnumber => $item_id,
+ borrowernumber => $borrowernumber