Koha/koha-tmpl/intranet-tmpl/prog/en/modules/members/maninvoice.tt
Nick Clemens d6f99f0df1 Bug 20701: Add csrf protection to maninvoice.pl
TO test:
1 - Be signed in to Koha
2 - Add a manual invoice to an account, works fine
3 - Now do it via url: http://localhost:8081/cgi-bin/koha/members/maninvoice.pl?borrowernumber=5&type=test&amount=5&add=Save
4 - Apply patches
5 - Test that everything continues to work as expected (but more securely)
6 - Try adding a new invoice via URL
7 - Should get 'internal server error' and wrong csrf token in logs

Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
2018-05-23 12:19:33 -03:00

93 lines
3.8 KiB
Text

[% USE Asset %]
[% USE Koha %]
[% USE Branches %]
[% SET footerjs = 1 %]
[% INCLUDE 'doc-head-open.inc' %]
<title>Koha &rsaquo; Patrons &rsaquo; Create manual invoice</title>
[% INCLUDE 'doc-head-close.inc' %]
</head>
<body id="pat_maninvoice" class="pat">
[% INCLUDE 'header.inc' %]
[% INCLUDE 'patron-search.inc' %]
<div id="breadcrumbs"><a href="/cgi-bin/koha/mainpage.pl">Home</a> &rsaquo; <a href="/cgi-bin/koha/members/members-home.pl">Patrons</a> &rsaquo; Manual invoice</div>
<div id="doc3" class="yui-t2">
<div id="bd">
<div id="yui-main">
<div class="yui-b">
[% INCLUDE 'members-toolbar.inc' %]
<!-- The manual invoice and credit buttons -->
<div class="statictabs">
<ul>
<li><a href="/cgi-bin/koha/members/boraccount.pl?borrowernumber=[% patron.borrowernumber %]">Account</a></li>
<li><a href="/cgi-bin/koha/members/pay.pl?borrowernumber=[% patron.borrowernumber %]" >Pay fines</a></li>
<li class="active"><a href="/cgi-bin/koha/members/maninvoice.pl?borrowernumber=[% patron.borrowernumber %]" >Create manual invoice</a></li>
<li><a href="/cgi-bin/koha/members/mancredit.pl?borrowernumber=[% patron.borrowernumber %]" >Create manual credit</a></li>
</ul>
<div class="tabs-container">
[% IF ( ERROR ) %]
[% IF ( ITEMNUMBER ) %]
ERROR an invalid itemnumber was entered, please hit back and try again
[% END %]
[% ELSE %]
<form action="/cgi-bin/koha/members/maninvoice.pl" method="post" id="maninvoice"><input type="hidden" name="borrowernumber" id="borrowernumber" value="[% patron.borrowernumber %]" />
<input type="hidden" name="csrf_token" value="[% csrf_token %]" />
<fieldset class="rows">
<legend>Manual invoice</legend>
<ol>
<li>
<label for="type">Type: </label>
<select name="type" id="invoice_type">
<option value="L">Lost item</option>
<option value="F">Fine</option>
<option value="A">Account management fee</option>
<option value="N">New card</option>
<option value="M">Sundry</option>
[% FOREACH invoice_types_loo IN invoice_types_loop %]
<option value="[% invoice_types_loo.authorised_value %]">[% invoice_types_loo.authorised_value %]</option>
[% END %]
</select>
</li>
<li><label for="barcode">Barcode: </label><input type="text" name="barcode" id="barcode" /></li>
<li><label for="desc">Description: </label><input type="text" name="desc" id="desc" size="50" /></li>
<li><label for="note">Note: </label><input type="text" name="note" size="50" id="note" /></li>
<li><label for="amount">Amount: </label><input type="number" name="amount" id="amount" required="required" value="" step="any" min="0" /> Example: 5.00</li>
</ol></fieldset>
<fieldset class="action"><input type="submit" name="add" value="Save" /> <a class="cancel" href="/cgi-bin/koha/members/boraccount.pl?borrowernumber=[% patron.borrowernumber %]">Cancel</a></fieldset>
</form>
[% END %]
</div></div>
</div>
</div>
<div class="yui-b">
[% INCLUDE 'circ-menu.inc' %]
</div>
</div>
[% MACRO jsinclude BLOCK %]
[% Asset.js("js/members-menu.js") %]
<script type="text/javascript">
var type_fees = {'L':'','F':'','A':'','N':'','M':''};
[% FOREACH invoice_types_loo IN invoice_types_loop %]
type_fees['[% invoice_types_loo.authorised_value %]'] = "[% invoice_types_loo.lib %]";
[% END %]
$(document).ready(function(){
$('#maninvoice').preventDoubleFormSubmit();
$("fieldset.rows input, fieldset.rows select").addClass("noEnterSubmit");
$("#invoice_type").on("change",function(){
this.form.desc.value = this.options[this.selectedIndex].value;
this.form.amount.value = type_fees[this.options[this.selectedIndex].value];
});
});
</script>
[% END %]
[% INCLUDE 'intranet-bottom.inc' %]