From e50445fef2d61b038bf756f6cd42e4c5b88d6ca3 Mon Sep 17 00:00:00 2001
From: Marcel de Rooy <m.de.rooy@rijksmuseum.nl>
Date: Fri, 9 Feb 2024 08:55:23 +0000
Subject: [PATCH] Bug 34478: Changes for tools/import_borrowers

Removed a csrf check in script itself.

Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
---
 .../prog/en/modules/tools/import_borrowers.tt        |  3 ++-
 tools/import_borrowers.pl                            | 12 +++---------
 2 files changed, 5 insertions(+), 10 deletions(-)

diff --git a/koha-tmpl/intranet-tmpl/prog/en/modules/tools/import_borrowers.tt b/koha-tmpl/intranet-tmpl/prog/en/modules/tools/import_borrowers.tt
index 8e7b34ce70..3f57be0024 100644
--- a/koha-tmpl/intranet-tmpl/prog/en/modules/tools/import_borrowers.tt
+++ b/koha-tmpl/intranet-tmpl/prog/en/modules/tools/import_borrowers.tt
@@ -225,6 +225,8 @@
     </ul>
 
     <form method="post" action="[% SCRIPT_NAME | html %]" enctype="multipart/form-data">
+        [% INCLUDE 'csrf-token.inc' %]
+        <input type="hidden" name="op" value="cud-import" />
         <fieldset class="rows">
             <legend>Import into the borrowers table</legend>
 
@@ -381,7 +383,6 @@
         </fieldset>
 
         <fieldset class="action">
-            [% INCLUDE 'csrf-token.inc' %]
             <input type="submit" class="btn btn-primary" value="Import" />
         </fieldset>
     </form>
diff --git a/tools/import_borrowers.pl b/tools/import_borrowers.pl
index ffa452b795..540a933b65 100755
--- a/tools/import_borrowers.pl
+++ b/tools/import_borrowers.pl
@@ -61,6 +61,7 @@ push( @columnkeys, 'patron_attributes' ) if $extended;
 push( @columnkeys, qw( guarantor_relationship guarantor_id ) );
 
 my $input = CGI->new();
+my $op    = $input->param('op') // q{};
 
 my ( $template, $loggedinuser, $cookie ) = get_template_and_user(
     {
@@ -104,12 +105,7 @@ my $patronlistname = $uploadborrowers . ' (' . $timestamp .')';
 
 $template->param( SCRIPT_NAME => '/cgi-bin/koha/tools/import_borrowers.pl' );
 
-if ( $uploadborrowers && length($uploadborrowers) > 0 ) {
-    output_and_exit( $input, $cookie, $template, 'wrong_csrf_token' )
-        unless Koha::Token->new->check_csrf({
-            session_id => scalar $input->cookie('CGISESSID'),
-            token  => scalar $input->param('csrf_token'),
-        });
+if ( $op eq 'cud-import' && $uploadborrowers && length($uploadborrowers) > 0 ) {
 
     my $handle   = $input->upload('uploadborrowers');
     my %defaults = $input->Vars;
@@ -162,8 +158,7 @@ if ( $uploadborrowers && length($uploadborrowers) > 0 ) {
         total           => $imported + $alreadyindb + $invalid + $overwritten,
     );
 
-}
-else {
+} else {
     if ($extended) {
         my @matchpoints = ();
         my $attribute_types = Koha::Patron::Attribute::Types->search;
@@ -179,4 +174,3 @@ else {
 }
 
 output_html_with_http_headers $input, $cookie, $template->output;
-
-- 
2.39.5