Bug 37039: Update discharge request with CSRF token

The OPAC discharge page used a link with a GET parameter, but the script
expects a POST request. This patch converts the link to a form with CSRF
token included.

To test, apply the patch and enable the useDischarge system preference
if necessary.

- Log in to the OPAC as a user with no checkouts or outstanding fees.
- Click the "Ask for discharge" tab in the sidebar of the user summary
  page.
- Click the "Ask for a discharge" button.
- You should be redirected to a page that says "Your discharge request
  has been sent."

Signed-off-by: David Nind <david@davidnind.com>
Signed-off-by: Julian Maurice <julian.maurice@biblibre.com>
Signed-off-by: Martin Renvoize <martin.renvoize@ptfs-europe.com>
(cherry picked from commit 67cedc9955)
Signed-off-by: Lucas Gass <lucas@bywatersolutions.com>

koha-tmpl/opac-tmpl/bootstrap/en/modules/opac-discharge.tt

@@ -52,7 +52,11 @@
                         [% IF has_checkouts %]
                             <div class="alert alert-info">You cannot be discharged, you have checked out items. Please return items before asking for a discharge.</div>
                         [% ELSE %]
-                            <a class="btn btn-primary" href="/cgi-bin/koha/opac-discharge.pl?op=request">Ask for a discharge</a>
+                            <form action="/cgi-bin/koha/opac-discharge.pl" method="post">
+                                [% INCLUDE 'csrf-token.inc' %]
+                                <input type="hidden" name="op" value="cud-request" />
+                                <button class="btn btn-primary" type="submit">Ask for a discharge</button>
+                            </form>
                         [% END %]
 
                     [% END %]