- if ( checkauth( $input, 0, $flagsrequired, 'intranet' ) ) {
- my $barcode = $input->param('barcode');
- my $itemnum;
- if ($barcode) {
- $itemnum = GetItemnumberFromBarcode($barcode);
- }
- my $desc = $input->param('desc');
- my $note = $input->param('note');
- my $amount = $input->param('amount') || 0;
- $amount = -$amount;
- my $type = $input->param('type');
- manualinvoice( $borrowernumber, $itemnum, $desc, $type, $amount, $note );
- print $input->redirect("/cgi-bin/koha/members/boraccount.pl?borrowernumber=$borrowernumber");
+
+ output_and_exit( $input, $cookie, $template, 'wrong_csrf_token' )
+ unless Koha::Token->new->check_csrf( {
+ session_id => scalar $input->cookie('CGISESSID'),
+ token => scalar $input->param('csrf_token'),
+ });
+
+ # Note: If the logged in user is not allowed to see this patron an invoice can be forced
+ # Here we are trusting librarians not to hack the system
+ my $barcode = $input->param('barcode');
+ my $item_id;
+ if ($barcode) {
+ my $item = Koha::Items->find({barcode => $barcode});
+ $item_id = $item->itemnumber if $item;