use CGI qw ( -utf8 );
use Digest::MD5 qw( md5_base64 md5_hex );
use String::Random qw( random_string );
+use WWW::CSRF qw(generate_csrf_token check_csrf_token CSRF_OK);
use C4::Auth;
use C4::Output;
}
elsif ( $action eq 'update' ) {
+ my $borrower = GetMember( borrowernumber => $borrowernumber );
+ my $csrf_status = check_csrf_token($borrower->{userid}, md5_base64(C4::Context->config('pass')), scalar $cgi->param('csrf_token'));
+ die "Wrong CSRF token" unless ($csrf_status == CSRF_OK);
+
my %borrower = ParseCgiForBorrower($cgi);
my %borrower_changes = DelEmptyFields(%borrower);
$template->param(
empty_mandatory_fields => \@empty_mandatory_fields,
invalid_form_fields => $invalidformfields,
- borrower => \%borrower
+ borrower => \%borrower,
+ csrf_token => generate_csrf_token($borrower->{userid}, md5_base64(C4::Context->config('pass'))),
);
$template->param( action => 'edit' );
action => 'edit',
nochanges => 1,
borrower => GetMember( borrowernumber => $borrowernumber ),
+ csrf_token => generate_csrf_token($borrower->{userid}, md5_base64(C4::Context->config('pass')))
);
}
}
borrower => $borrower,
guarantor => scalar Koha::Patrons->find($borrowernumber)->guarantor(),
hidden => GetHiddenFields( $mandatory, 'modification' ),
+ csrf_token => generate_csrf_token($borrower->{userid}, md5_base64(C4::Context->config('pass')))
);
if (C4::Context->preference('OPACpatronimages')) {