[% END %]
[% ELSE %]
<form action="/cgi-bin/koha/members/maninvoice.pl" method="post" id="maninvoice"><input type="hidden" name="borrowernumber" id="borrowernumber" value="[% patron.borrowernumber %]" />
+ <input type="hidden" name="csrf_token" value="[% csrf_token %]" />
<fieldset class="rows">
<legend>Manual invoice</legend>
<ol>
use C4::Accounts;
use C4::Items;
use C4::Members::Attributes qw(GetBorrowerAttributes);
+use Koha::Token;
use Koha::Patrons;
my $add=$input->param('add');
if ($add){
if ( checkauth( $input, 0, $flagsrequired, 'intranet' ) ) {
+ die "Wrong CSRF token"
+ unless Koha::Token->new->check_csrf( {
+ session_id => scalar $input->cookie('CGISESSID'),
+ token => scalar $input->param('csrf_token'),
+ });
# Note: If the logged in user is not allowed to see this patron an invoice can be forced
# Here we are trusting librarians not to hack the system
my $barcode=$input->param('barcode');
if ( $error =~ /FOREIGN KEY/ && $error =~ /itemnumber/ ) {
$template->param( 'ITEMNUMBER' => 1 );
}
+ $template->param( csrf_token => Koha::Token->new->generate_csrf({ session_id => scalar $input->cookie('CGISESSID') }) );
$template->param( 'ERROR' => $error );
output_html_with_http_headers $input, $cookie, $template->output;
} else {
}
$template->param(
+ csrf_token => Koha::Token->new->generate_csrf({ session_id => scalar $input->cookie('CGISESSID') }),
patron => $patron,
finesview => 1,
);