From 501ad2508a07bd16814e472eeaa140fd5fe76951 Mon Sep 17 00:00:00 2001
From: Nick Clemens <nick@bywatersolutions.com>
Date: Wed, 23 May 2018 10:37:35 +0000
Subject: [PATCH] Bug 20701: (17.11 follow-up) Move csrf token after checkauth
 and use scalar

(cherry picked from commit 8bbc2f481037867bc188a0c1f27f06205d3c4bfa)
Signed-off-by: Fridolin Somers <fridolin.somers@biblibre.com>
---
 members/mancredit.pl  |  2 +-
 members/maninvoice.pl | 10 +++++-----
 2 files changed, 6 insertions(+), 6 deletions(-)

diff --git a/members/mancredit.pl b/members/mancredit.pl
index 94c308e93a..c3120ffbe6 100755
--- a/members/mancredit.pl
+++ b/members/mancredit.pl
@@ -52,7 +52,7 @@ if ($add){
 
         die "Wrong CSRF token"
             unless Koha::Token->new->check_csrf( {
-                session_id => $input->cookie('CGISESSID'),
+                session_id => scalar $input->cookie('CGISESSID'),
                 token  => scalar $input->param('csrf_token'),
             });
 
diff --git a/members/maninvoice.pl b/members/maninvoice.pl
index 7f79e55f79..153b96054c 100755
--- a/members/maninvoice.pl
+++ b/members/maninvoice.pl
@@ -47,12 +47,12 @@ my $borrowernumber=$input->param('borrowernumber');
 my $data=GetMember('borrowernumber'=>$borrowernumber);
 my $add=$input->param('add');
 if ($add){
-    die "Wrong CSRF token"
-        unless Koha::Token->new->check_csrf( {
-            session_id => $input->cookie('CGISESSID'),
-            token => scalar $input->param('csrf_token'),
-        });
     if ( checkauth( $input, 0, $flagsrequired, 'intranet' ) ) {
+        die "Wrong CSRF token"
+            unless Koha::Token->new->check_csrf( {
+                session_id => scalar $input->cookie('CGISESSID'),
+                token => scalar $input->param('csrf_token'),
+            });
         #  print $input->header;
         my $barcode=$input->param('barcode');
         my $itemnum;
-- 
2.39.5