use C4::Debug;
use Koha::Patrons;
-use Koha::Patron::Image;
+use Koha::Patron::Images;
+use Koha::Token;
my $input = new CGI;
debug => 0,
});
-my $filetype = $input->param('filetype');
+our $filetype = $input->param('filetype') || '';
my $cardnumber = $input->param('cardnumber');
-my $uploadfilename = $input->param('uploadfile');
+our $uploadfilename = $input->param('uploadfile') || '';
my $uploadfile = $input->upload('uploadfile');
my $borrowernumber = $input->param('borrowernumber');
my $op = $input->param('op') || '';
$debug and warn "Operation requested: $op";
-my ( $total, $handled, @counts, $tempfile, $tfh, %errors );
+my ( $total, $handled, $tempfile, $tfh );
+our @counts = ();
+our %errors = ();
# Case is important in these operational values as the template must use case to be visually pleasing!
if ( ( $op eq 'Upload' ) && $uploadfile ) {
+
+ die "Wrong CSRF token"
+ unless Koha::Token->new->check_csrf({
+ session_id => scalar $input->cookie('CGISESSID'),
+ token => scalar $input->param('csrf_token'),
+ });
+
my $dirname = File::Temp::tempdir( CLEANUP => 1 );
$debug and warn "dirname = $dirname";
my $filesuffix;
$template->param( filetype => $filetype );
}
elsif ( $op eq 'Delete' ) {
+ die "Wrong CSRF token"
+ unless Koha::Token->new->check_csrf({
+ session_id => scalar $input->cookie('CGISESSID'),
+ token => scalar $input->param('csrf_token'),
+ });
+
my $deleted = eval {
Koha::Patron::Images->find( $borrowernumber )->delete;
};
"/cgi-bin/koha/members/moremember.pl?borrowernumber=$borrowernumber");
}
else {
+ $template->param(
+ csrf_token => Koha::Token->new->generate_csrf({
+ session_id => scalar $input->cookie('CGISESSID'),
+ }),
+ );
output_html_with_http_headers $input, $cookie, $template->output;
}