diff --git a/admin/preferences.pl b/admin/preferences.pl index 20a187e3f1..05b98dbbe9 100755 --- a/admin/preferences.pl +++ b/admin/preferences.pl @@ -25,7 +25,7 @@ use C4::Context; use C4::Koha qw( getallthemes ); use C4::Languages qw( getTranslatedLanguages ); use C4::ClassSource qw( GetClassSources GetClassSource ); -use C4::Output qw( output_html_with_http_headers ); +use C4::Output qw( output_html_with_http_headers output_and_exit_if_error ); use C4::Templates; use Koha::Acquisition::Currencies; use Koha::Database::Columns; @@ -354,6 +354,7 @@ $tab ||= 'accounting'; # Ideally this should be "local-use" but preferences.pl my $highlighted; if ( $op eq 'save' ) { + output_and_exit_if_error($input, $cookie, $template, { check => 'csrf_token' }); foreach my $param ( $input->param() ) { my ( $pref ) = ( $param =~ /pref_(.*)/ ); diff --git a/admin/systempreferences.pl b/admin/systempreferences.pl index 1eb54552b1..d2d1369223 100755 --- a/admin/systempreferences.pl +++ b/admin/systempreferences.pl @@ -49,7 +49,7 @@ use C4::Context; use C4::Koha qw( getallthemes ); use C4::Languages qw( getTranslatedLanguages ); use C4::ClassSource qw( GetClassSources GetClassSource ); -use C4::Output qw( output_html_with_http_headers ); +use C4::Output qw( output_html_with_http_headers output_and_exit_if_error ); use YAML::XS; my %tabsysprefs; #we do no longer need to keep track of a tab per pref (yaml) @@ -235,6 +235,7 @@ if ($op) { } if ( $op eq 'update_and_reedit' ) { + output_and_exit_if_error($input, $cookie, $template, { check => 'csrf_token' }); foreach ( $input->param ) { } my $value = ''; @@ -302,6 +303,7 @@ if ( $op eq 'add_form' ) { ################## ADD_VALIDATE ################################## # called by add_form, used to insert/modify data in DB } elsif ( $op eq 'add_validate' ) { + output_and_exit_if_error($input, $cookie, $template, { check => 'csrf_token' }); # to handle multiple values my $value; @@ -348,6 +350,7 @@ if ( $op eq 'add_form' ) { ################## DELETE_CONFIRMED ################################## # called by delete_confirm, used to effectively confirm deletion of data in DB } elsif ( $op eq 'delete_confirmed' ) { + output_and_exit_if_error($input, $cookie, $template, { check => 'csrf_token' }); C4::Context->delete_preference($searchfield); # END $OP eq DELETE_CONFIRMED ################## DEFAULT ################################## diff --git a/koha-tmpl/intranet-tmpl/prog/en/modules/admin/preferences.tt b/koha-tmpl/intranet-tmpl/prog/en/modules/admin/preferences.tt index b1bd23b314..3b8eb35bfe 100644 --- a/koha-tmpl/intranet-tmpl/prog/en/modules/admin/preferences.tt +++ b/koha-tmpl/intranet-tmpl/prog/en/modules/admin/preferences.tt @@ -58,6 +58,7 @@