<h1>API keys for [% INCLUDE 'patron-title.inc' %]</h1>
<form id="add-api-key" action="/cgi-bin/koha/members/apikeys.pl" method="post" style="display:none">
<input type="hidden" name="patron_id" value="[% patron.id %]" />
+ <input type="hidden" name="csrf_token" value="[% csrf_token %]" />
<input type="hidden" name="op" value="generate" />
<fieldset class="brief">
<legend>Generate new client id/secret pair</legend>
<form action="/cgi-bin/koha/members/apikeys.pl" method="post">
<input type="hidden" name="patron_id" value="[% patron.id %]" />
<input type="hidden" name="key" value="[% key.id %]" />
+ <input type="hidden" name="csrf_token" value="[% csrf_token %]" />
<input type="hidden" name="op" value="delete" />
<button class="btn btn-default btn-xs delete" type="submit"><i class="fa fa-trash"></i> Delete</button>
</form>
<form action="/cgi-bin/koha/members/apikeys.pl" method="post">
<input type="hidden" name="patron_id" value="[% patron.id %]" />
<input type="hidden" name="key" value="[% key.id %]" />
+ <input type="hidden" name="csrf_token" value="[% csrf_token %]" />
[% IF key.active %]
<input type="hidden" name="op" value="revoke" />
<button class="btn btn-default btn-xs" type="submit"><i class="fa fa-remove"></i> Revoke</button>
<fieldset>
<legend>Generate new client id/secret pair</legend>
<input type="hidden" name="patron_id" value="[% patron.id %]" />
+ <input type="hidden" name="csrf_token" value="[% csrf_token %]" />
<input type="hidden" name="op" value="generate" />
<label for="description">Description: </label>
<input type="text" name="description" />
<td>
<form action="/cgi-bin/koha/opac-apikeys.pl" method="post" class="form-inline">
<input type="hidden" name="key" value="[% key.id %]" />
+ <input type="hidden" name="csrf_token" value="[% csrf_token %]" />
<input type="hidden" name="op" value="delete" />
<button class="btn btn-link btn-xs delete-key" type="submit"><i class="fa fa-trash"></i> Delete</button>
</form>
<form action="/cgi-bin/koha/opac-apikeys.pl" method="post" class="form-inline">
<input type="hidden" name="key" value="[% key.id %]" />
+ <input type="hidden" name="csrf_token" value="[% csrf_token %]" />
[% IF key.active %]
<input type="hidden" name="op" value="revoke" />
<button class="btn btn-link btn-xs" type="submit"><i class="fa fa-remove"></i> Revoke</button>
use Koha::ApiKeys;
use Koha::Patrons;
+use Koha::Token;
my $cgi = new CGI;
exit;
}
-my $op = $cgi->param('op');
+my $op = $cgi->param('op') // '';
+
+if ( $op eq 'generate' or
+ $op eq 'delete' or
+ $op eq 'revoke' or
+ $op eq 'activate' ) {
+
+ die "Wrong CSRF token"
+ unless Koha::Token->new->check_csrf({
+ session_id => scalar $cgi->cookie('CGISESSID'),
+ token => scalar $cgi->param('csrf_token'),
+ });
+}
if ($op) {
if ( $op eq 'generate' ) {
my @api_keys = Koha::ApiKeys->search({ patron_id => $patron_id });
$template->param(
- api_keys => \@api_keys,
- patron => $patron
+ api_keys => \@api_keys,
+ csrf_token => Koha::Token->new->generate_csrf({ session_id => scalar $cgi->cookie('CGISESSID') }),
+ patron => $patron
);
output_html_with_http_headers $cgi, $cookie, $template->output;
use Koha::ApiKeys;
use Koha::Patrons;
+use Koha::Token;
my $cgi = new CGI;
exit;
}
-my $op = $cgi->param('op');
+my $op = $cgi->param('op') // '';
+
+if ( $op eq 'generate' or
+ $op eq 'delete' or
+ $op eq 'revoke' or
+ $op eq 'activate' ) {
+
+ die "Wrong CSRF token"
+ unless Koha::Token->new->check_csrf({
+ session_id => scalar $cgi->cookie('CGISESSID'),
+ token => scalar $cgi->param('csrf_token'),
+ });
+}
if ($op) {
if ($op eq 'generate') {
$template->param(
api_keys => \@api_keys,
apikeysview => 1,
+ csrf_token => Koha::Token->new->generate_csrf({ session_id => scalar $cgi->cookie('CGISESSID') }),
patron => $patron
);