From 59470197c296cf2a3cdb0acd3cdd120409b4dd32 Mon Sep 17 00:00:00 2001 From: Jonathan Druart Date: Tue, 20 Feb 2024 14:31:04 +0100 Subject: [PATCH] Bug 36102: If CSRF check fails, try with anonymous Signed-off-by: Jonathan Druart --- Koha/Token.pm | 10 +++++++++- 1 file changed, 9 insertions(+), 1 deletion(-) diff --git a/Koha/Token.pm b/Koha/Token.pm index 2c0817a26d..4a806b0e37 100644 --- a/Koha/Token.pm +++ b/Koha/Token.pm @@ -182,7 +182,15 @@ sub check_csrf { my ( $self, $params ) = @_; return if !$params->{session_id}; $params = _add_default_csrf_params( $params ); - return $self->check({ %$params, type => 'CSRF' }); + my $c = $self->check({ %$params, type => 'CSRF' }); + + unless ( $c ) { + # If the check failed we need to test with the "anonymous" in case the token was generating without the user being logged in yet. + $params->{id} = DEFA_SESSION_USERID . '_' . $params->{session_id}; + $c = $self->check({ %$params, type => 'CSRF' }); + } + + return $c; } =head2 check_jwt -- 2.39.5