Bug 18805: Add ability to use up account credits

[koha.git] / members / maninvoice.pl

diff --git a/members/maninvoice.pl b/members/maninvoice.pl
index d3de811..db7a447 100755 (executable)
--- a/members/maninvoice.pl
+++ b/members/maninvoice.pl
@@ -31,7 +31,9 @@ use C4::Members;
 use C4::Accounts;
 use C4::Items;
 use C4::Members::Attributes qw(GetBorrowerAttributes);
+use Koha::Token;
 
+use Koha::Items;
 use Koha::Patrons;
 
 use Koha::Patron::Categories;
@@ -50,12 +52,18 @@ unless ( $patron ) {
 my $add=$input->param('add');
 if ($add){
     if ( checkauth( $input, 0, $flagsrequired, 'intranet' ) ) {
+        die "Wrong CSRF token"
+            unless Koha::Token->new->check_csrf( {
+                session_id => scalar $input->cookie('CGISESSID'),
+                token => scalar $input->param('csrf_token'),
+            });
         # Note: If the logged in user is not allowed to see this patron an invoice can be forced
         # Here we are trusting librarians not to hack the system
         my $barcode=$input->param('barcode');
         my $itemnum;
         if ($barcode) {
-            $itemnum = GetItemnumberFromBarcode($barcode);
+            my $item = Koha::Items->find({barcode => $barcode});
+            $itemnum = $item->itemnumber if $item;
         }
         my $desc=$input->param('desc');
         my $amount=$input->param('amount');
@@ -75,6 +83,7 @@ if ($add){
             if ( $error =~ /FOREIGN KEY/ && $error =~ /itemnumber/ ) {
                 $template->param( 'ITEMNUMBER' => 1 );
             }
+            $template->param( csrf_token => Koha::Token->new->generate_csrf({ session_id => scalar $input->cookie('CGISESSID') }) );
             $template->param( 'ERROR' => $error );
             output_html_with_http_headers $input, $cookie, $template->output;
         } else {
@@ -95,7 +104,6 @@ if ($add){
     });
 
     my $logged_in_user = Koha::Patrons->find( $loggedinuser ) or die "Not logged in";
-    my $patron         = Koha::Patrons->find($borrowernumber);
     output_and_exit_if_error( $input, $cookie, $template, { module => 'members', logged_in_user => $logged_in_user, current_patron => $patron } );
 
   # get authorised values with type of MANUAL_INV
@@ -108,15 +116,6 @@ if ($add){
   }
   $template->param( invoice_types_loop => \@invoice_types );
 
-    if ( $patron->category->category_type eq 'C') {
-        my $patron_categories = Koha::Patron::Categories->search_limited({ category_type => 'A' }, {order_by => ['categorycode']});
-        $template->param( 'CATCODE_MULTI' => 1) if $patron_categories->count > 1;
-        $template->param( 'catcode' => $patron_categories->next->categorycode )  if $patron_categories->count == 1;
-    }
-
-    $template->param( adultborrower => 1 ) if ( $patron->category->category_type =~ /^(A|I)$/ );
-    $template->param( picture => 1 ) if $patron->image;
-
     if (C4::Context->preference('ExtendedPatronAttributes')) {
         my $attributes = GetBorrowerAttributes($borrowernumber);
         $template->param(
@@ -125,12 +124,10 @@ if ($add){
         );
     }
 
-    $template->param(%{ $patron->unblessed });
     $template->param(
+        csrf_token => Koha::Token->new->generate_csrf({ session_id => scalar $input->cookie('CGISESSID') }),
+        patron         => $patron,
         finesview      => 1,
-        borrowernumber => $borrowernumber,
-        categoryname   => $patron->category->description,
-        is_child       => ($patron->category->category_type eq 'C'),
     );
     output_html_with_http_headers $input, $cookie, $template->output;
 }