From 5f846a33abe89599fa7b9a37cb3c00632d30ec90 Mon Sep 17 00:00:00 2001
From: Nick Clemens <nick@bywatersolutions.com>
Date: Wed, 23 May 2018 10:37:35 +0000
Subject: [PATCH] Bug 20701: (17.11 follow-up) Move csrf token after checkauth
 and use scalar

Signed-off-by: Nick Clemens <nick@bywatersolutions.com>
---
 members/mancredit.pl  |  2 +-
 members/maninvoice.pl | 10 +++++-----
 2 files changed, 6 insertions(+), 6 deletions(-)

diff --git a/members/mancredit.pl b/members/mancredit.pl
index 3617f2af90..e1a383aac3 100755
--- a/members/mancredit.pl
+++ b/members/mancredit.pl
@@ -55,7 +55,7 @@ if ($add){
 
         die "Wrong CSRF token"
             unless Koha::Token->new->check_csrf( {
-                session_id => $input->cookie('CGISESSID'),
+                session_id => scalar $input->cookie('CGISESSID'),
                 token  => scalar $input->param('csrf_token'),
             });
 
diff --git a/members/maninvoice.pl b/members/maninvoice.pl
index a6429aa40d..dfe3d1c65c 100755
--- a/members/maninvoice.pl
+++ b/members/maninvoice.pl
@@ -51,12 +51,12 @@ unless ( $patron ) {
 
 my $add=$input->param('add');
 if ($add){
-    die "Wrong CSRF token"
-        unless Koha::Token->new->check_csrf( {
-            session_id => $input->cookie('CGISESSID'),
-            token => scalar $input->param('csrf_token'),
-        });
     if ( checkauth( $input, 0, $flagsrequired, 'intranet' ) ) {
+        die "Wrong CSRF token"
+            unless Koha::Token->new->check_csrf( {
+                session_id => scalar $input->cookie('CGISESSID'),
+                token => scalar $input->param('csrf_token'),
+            });
         #  print $input->header;
         my $barcode=$input->param('barcode');
         my $itemnum;
-- 
2.39.5