From d9d95873427cff8347d2a8d83cbfff4cb3d7f89c Mon Sep 17 00:00:00 2001
From: Emily-Rose Francoeur <emily-rose.francoeur@inLibro.com>
Date: Tue, 10 Oct 2023 13:30:43 -0400
Subject: [PATCH] Bug 35019: Add a CSRF token when deleting news

I add a CSRF token as a parameter in the link for deleting a news
entry, which solves the problem.

TEST PLAN
1) Apply the patch
2) Go to "Tools > News > New entry"
3) "Display location" should be set to "Staff interface"
4) Fill in the fields
5) Return to the homepage
6) Delete the created news entry
7) The "Additional contents" page is displayed, and the deleted news
   entry no longer appears
8) Return to the homepage; the news entry no longer displays

Signed-off-by: Owen Leonard <oleonard@myacpl.org>
Signed-off-by: Katrin Fischer <katrin.fischer.83@web.de>
Signed-off-by: Tomas Cohen Arazi <tomascohen@theke.io>
Edit: adapted the template change to latest master inline
Signed-off-by: Tomas Cohen Arazi <tomascohen@theke.io>
(cherry picked from commit f4b858778268730d49dc9f11d9d2d9bf6faf3f6e)
Signed-off-by: Fridolin Somers <fridolin.somers@biblibre.com>
---
 koha-tmpl/intranet-tmpl/prog/en/modules/intranet-main.tt | 2 +-
 mainpage.pl                                              | 2 ++
 2 files changed, 3 insertions(+), 1 deletion(-)

diff --git a/koha-tmpl/intranet-tmpl/prog/en/modules/intranet-main.tt b/koha-tmpl/intranet-tmpl/prog/en/modules/intranet-main.tt
index 7cdba7568b..2e05470691 100644
--- a/koha-tmpl/intranet-tmpl/prog/en/modules/intranet-main.tt
+++ b/koha-tmpl/intranet-tmpl/prog/en/modules/intranet-main.tt
@@ -34,7 +34,7 @@
                                 <p class="newsfooter"> Posted on [% koha_new.published_on | $KohaDates %][% IF( show_author && koha_new.author ) %] by <span class="newsauthor">[% INCLUDE 'patron-title.inc' patron=koha_new.author %]<br />[% END %]
                                     [% IF ( CAN_user_tools_edit_additional_contents ) %]
                                         <a href="/cgi-bin/koha/tools/additional-contents.pl?op=add_form&amp;id=[% koha_new.idnew | uri %]">Edit</a>
-                                         | <a class="news_delete" href="/cgi-bin/koha/tools/additional-contents.pl?op=delete_confirmed&amp;ids=[% koha_new.idnew | html %]">Delete</a>
+                                         | <a class="news_delete" href="/cgi-bin/koha/tools/additional-contents.pl?op=delete_confirmed&amp;ids=[% koha_new.idnew | html %]&amp;csrf_token=[% csrf_token | uri %]">Delete</a>
                                          | <a href="/cgi-bin/koha/tools/additional-contents.pl?op=add_form">New</a>
                                     [% END %]
                                 </p>
diff --git a/mainpage.pl b/mainpage.pl
index 855913ae72..e1c033f18a 100755
--- a/mainpage.pl
+++ b/mainpage.pl
@@ -37,6 +37,7 @@ use Koha::Suggestions;
 use Koha::BackgroundJobs;
 use Koha::CurbsidePickups;
 use Koha::Tickets;
+use Koha::Token;
 
 my $query = CGI->new;
 
@@ -69,6 +70,7 @@ my $koha_news = Koha::AdditionalContents->search_for_display(
 
 $template->param(
     koha_news   => $koha_news,
+    csrf_token  => Koha::Token->new->generate_csrf( { session_id => $query->cookie('CGISESSID'), } ),
     daily_quote => Koha::Quotes->get_daily_quote(),
 );
 
-- 
2.39.2