<div class="dialog alert">
<h3>Are you sure you want to delete the patron [% firstname %] [% surname %]? This cannot be undone.</h3>
<form action="/cgi-bin/koha/members/deletemem.pl">
+ <input type="hidden" name="csrf_token" value="[% csrf_token %]" />
<input type="hidden" name="borrowernumber" value="[% borrowernumber %]"/>
<input type="hidden" name="op" value="delete_confirmed" />
<button type="submit" class="approve"><i class="fa fa-fw fa-check"></i> Yes, delete</button>
#use warnings; FIXME - Bug 2505
use CGI qw ( -utf8 );
+use Digest::MD5 qw(md5_base64);
use C4::Context;
use C4::Output;
use C4::Auth;
use C4::Branch; # GetBranches
use Module::Load;
use Koha::Patron::Images;
+use Koha::Token;
+
if ( C4::Context->preference('NorwegianPatronDBEnable') && C4::Context->preference('NorwegianPatronDBEnable') == 1 ) {
load Koha::NorwegianPatronDB, qw( NLMarkForDeletion NLSync );
}
}
# This is silly written but reflect the same conditions as above
if ( not $countissues > 0 and not $flags->{CHARGES} ne '' and not $is_guarantor and not $deletelocal == 0 ) {
- $template->param( op => 'delete_confirm' );
+ $template->param(
+ op => 'delete_confirm',
+ csrf_token => Koha::Token->new->generate_csrf(
+ { id => C4::Context->userenv->{id},
+ secret => md5_base64( C4::Context->config('pass') ),
+ }
+ ),
+ );
}
}elsif ( $op eq 'delete_confirmed' ) {
+
+ die "Wrong CSRF token"
+ unless Koha::Token->new->check_csrf({
+ id => C4::Context->userenv->{id},
+ secret => md5_base64( C4::Context->config('pass') ),
+ token => scalar $input->param('csrf_token'),
+ });
MoveMemberToDeleted($member);
C4::Members::HandleDelBorrower($member);
DelMember($member);