Bug 20701: Add csrf protection to mancredit.pl

[koha.git] / members / apikeys.pl

diff --git a/members/apikeys.pl b/members/apikeys.pl
index 7354fce..9d1a4f1 100755 (executable)
--- a/members/apikeys.pl
+++ b/members/apikeys.pl
@@ -1,4 +1,4 @@
-#!/usr/bin/env perl
+#!/usr/bin/perl
 
 # This file is part of Koha.
 #
@@ -35,7 +35,7 @@ my ( $template, $loggedinuser, $cookie ) = get_template_and_user(
         query           => $cgi,
         type            => 'intranet',
         authnotrequired => 0,
-        flagsrequired   => { borrowers => 1 },
+        flagsrequired   => { borrowers => 'edit_borrowers' },
     }
 );
 
@@ -45,7 +45,8 @@ my $api_key   = $cgi->param('key')       // '';
 
 $patron = Koha::Patrons->find($patron_id) if $patron_id;
 
-if ( not defined $patron ) {
+if ( not defined $patron or
+     not C4::Context->preference('RESTOAuth2ClientCredentials') ) {
 
     # patron_id invalid -> exit
     print $cgi->redirect("/cgi-bin/koha/errors/404.pl"); # escape early