Bug 19531: When saving patron record do not redirect to circ if not authorised

[koha.git] / members / paycollect.pl

diff --git a/members/paycollect.pl b/members/paycollect.pl
index 3b8b922..9ec3077 100755 (executable)
--- a/members/paycollect.pl
+++ b/members/paycollect.pl
@@ -31,6 +31,7 @@ use C4::Koha;
 use Koha::Patron::Images;
 use Koha::Patrons;
 use Koha::Account;
+use Koha::Token;
 
 use Koha::Patron::Categories;
 
@@ -50,6 +51,10 @@ my ( $template, $loggedinuser, $cookie ) = get_template_and_user(
 # get borrower details
 my $borrowernumber = $input->param('borrowernumber');
 my $patron         = Koha::Patrons->find( $borrowernumber );
+unless ( $patron ) {
+    print $input->redirect("/cgi-bin/koha/circ/circulation.pl?borrowernumber=$borrowernumber");
+    exit;
+}
 my $borrower       = $patron->unblessed;
 my $category       = $patron->category;
 $borrower->{description} = $category->description;
@@ -65,8 +70,7 @@ my $individual   = $input->param('pay_individual');
 my $writeoff     = $input->param('writeoff_individual');
 my $select_lines = $input->param('selected');
 my $select       = $input->param('selected_accts');
-my $payment_note = uri_unescape $input->param('payment_note');
-my $accountno;
+my $payment_note = uri_unescape scalar $input->param('payment_note');
 my $accountlines_id;
 
 if ( $individual || $writeoff ) {
@@ -79,7 +83,6 @@ if ( $individual || $writeoff ) {
     $accountlines_id       = $input->param('accountlines_id');
     my $amount            = $input->param('amount');
     my $amountoutstanding = $input->param('amountoutstanding');
-    $accountno = $input->param('accountno');
     my $itemnumber  = $input->param('itemnumber');
     my $description  = $input->param('description');
     my $title        = $input->param('title');
@@ -89,7 +92,6 @@ if ( $individual || $writeoff ) {
     $template->param(
         accounttype       => $accounttype,
         accountlines_id    => $accountlines_id,
-        accountno         => $accountno,
         amount            => $amount,
         amountoutstanding => $amountoutstanding,
         title             => $title,
@@ -115,6 +117,12 @@ if ( $total_paid and $total_paid ne '0.00' ) {
             total_due => $total_due
         );
     } else {
+        die "Wrong CSRF token"
+            unless Koha::Token->new->check_csrf( {
+                session_id => $input->cookie('CGISESSID'),
+                token  => scalar $input->param('csrf_token'),
+            });
+
         if ($individual) {
             my $line = Koha::Account::Lines->find($accountlines_id);
             Koha::Account->new( { patron_id => $borrowernumber } )->pay(
@@ -139,12 +147,12 @@ if ( $total_paid and $total_paid ne '0.00' ) {
                     {
                         borrowernumber    => $borrowernumber,
                         amountoutstanding => { '<>' => 0 },
-                        accountno         => { 'IN' => \@acc },
+                        accountlines_id   => { 'IN' => \@acc },
                     },
                     { order_by => 'date' }
                 );
 
-                return Koha::Account->new(
+                Koha::Account->new(
                     {
                         patron_id => $borrowernumber,
                     }
@@ -182,6 +190,8 @@ $template->param(
     total         => $total_due,
     RoutingSerials => C4::Context->preference('RoutingSerials'),
     ExtendedPatronAttributes => C4::Context->preference('ExtendedPatronAttributes'),
+
+    csrf_token => Koha::Token->new->generate_csrf({ session_id => scalar $input->cookie('CGISESSID') }),
 );
 
 output_html_with_http_headers $input, $cookie, $template->output;