From 7d62fd2dafb62872dd4b4aabe46ab7cd19d79b60 Mon Sep 17 00:00:00 2001
From: Emily-Rose Francoeur <emily-rose.francoeur@inLibro.com>
Date: Tue, 10 Oct 2023 13:30:43 -0400
Subject: [PATCH] Bug 35019: Add a CSRF token when deleting news

I add a CSRF token as a parameter in the link for deleting a news
entry, which solves the problem.

TEST PLAN
1) Apply the patch
2) Go to "Tools > News > New entry"
3) "Display location" should be set to "Staff interface"
4) Fill in the fields
5) Return to the homepage
6) Delete the created news entry
7) The "Additional contents" page is displayed, and the deleted news
   entry no longer appears
8) Return to the homepage; the news entry no longer displays

Signed-off-by: Owen Leonard <oleonard@myacpl.org>
Signed-off-by: Katrin Fischer <katrin.fischer.83@web.de>
Signed-off-by: Tomas Cohen Arazi <tomascohen@theke.io>
Edit: adapted the template change to latest master inline
Signed-off-by: Tomas Cohen Arazi <tomascohen@theke.io>
(cherry picked from commit f4b858778268730d49dc9f11d9d2d9bf6faf3f6e)
Signed-off-by: Fridolin Somers <fridolin.somers@biblibre.com>
(cherry picked from commit d9d95873427cff8347d2a8d83cbfff4cb3d7f89c)
Signed-off-by: Matt Blenkinsop <matt.blenkinsop@ptfs-europe.com>
---
 koha-tmpl/intranet-tmpl/prog/en/modules/intranet-main.tt | 2 +-
 mainpage.pl                                              | 3 +++
 2 files changed, 4 insertions(+), 1 deletion(-)

diff --git a/koha-tmpl/intranet-tmpl/prog/en/modules/intranet-main.tt b/koha-tmpl/intranet-tmpl/prog/en/modules/intranet-main.tt
index bc991ae9b3..4e316c0a1a 100644
--- a/koha-tmpl/intranet-tmpl/prog/en/modules/intranet-main.tt
+++ b/koha-tmpl/intranet-tmpl/prog/en/modules/intranet-main.tt
@@ -34,7 +34,7 @@
                                 <p class="newsfooter"> Posted on [% koha_new.published_on | $KohaDates %][% IF( show_author && koha_new.author ) %] by <span class="newsauthor">[% INCLUDE 'patron-title.inc' patron=koha_new.author %]<br />[% END %]
                                     [% IF ( CAN_user_tools_edit_additional_contents ) %]
                                         <a href="/cgi-bin/koha/tools/additional-contents.pl?op=add_form&amp;id=[% koha_new.idnew | uri %]">Edit</a>
-                                         | <a class="news_delete" href="/cgi-bin/koha/tools/additional-contents.pl?op=delete_confirmed&amp;ids=[% koha_new.idnew | html %]">Delete</a>
+                                         | <a class="news_delete" href="/cgi-bin/koha/tools/additional-contents.pl?op=delete_confirmed&amp;ids=[% koha_new.idnew | html %]&amp;csrf_token=[% csrf_token | uri %]">Delete</a>
                                          | <a href="/cgi-bin/koha/tools/additional-contents.pl?op=add_form">New</a>
                                     [% END %]
                                 </p>
diff --git a/mainpage.pl b/mainpage.pl
index 4ca699bd43..76a8c2b75d 100755
--- a/mainpage.pl
+++ b/mainpage.pl
@@ -36,6 +36,8 @@ use Koha::Quotes;
 use Koha::Suggestions;
 use Koha::BackgroundJobs;
 use Koha::CurbsidePickups;
+use Koha::Tickets;
+use Koha::Token;
 
 my $query = CGI->new;
 
@@ -68,6 +70,7 @@ my $koha_news = Koha::AdditionalContents->search_for_display(
 
 $template->param(
     koha_news   => $koha_news,
+    csrf_token  => Koha::Token->new->generate_csrf( { session_id => $query->cookie('CGISESSID'), } ),
     daily_quote => Koha::Quotes->get_daily_quote(),
 );
 
-- 
2.39.2