From 5300bcd57458f9d39b376ad02d20903ce727e8db Mon Sep 17 00:00:00 2001
From: Nick Clemens <nick@bywatersolutions.com>
Date: Mon, 18 Mar 2024 16:27:58 +0000
Subject: [PATCH] Bug 36349: Make sure CSRF token is included for all login
 scenarios

To test:
1 - In KTD visit:
    http://localhost:8080/cgi-bin/koha/sci/sci-main.pl
2 - Everything should be set for auto self check user etc, just login
    as a patron
    If not (or not using KTD) setup a self check user, enable SCO and
    SCI, set self check patron system preferences, then login with
    patron
3 - 403 Error
4 - Repeat with sco:
    http://localhost:8080/cgi-bin/koha/sco/sco-main.pl
5 - Apply patch, restart all
6 - Try again, both should be successful

Signed-off-by: Owen Leonard <oleonard@myacpl.org>
Signed-off-by: David Cook <dcook@prosentient.com.au>
Signed-off-by: Katrin Fischer <katrin.fischer@bsz-bw.de>
---
 koha-tmpl/opac-tmpl/bootstrap/en/modules/opac-auth.tt | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/koha-tmpl/opac-tmpl/bootstrap/en/modules/opac-auth.tt b/koha-tmpl/opac-tmpl/bootstrap/en/modules/opac-auth.tt
index 0092e20b12..52a59027c9 100644
--- a/koha-tmpl/opac-tmpl/bootstrap/en/modules/opac-auth.tt
+++ b/koha-tmpl/opac-tmpl/bootstrap/en/modules/opac-auth.tt
@@ -208,8 +208,8 @@
                                 <form action="/cgi-bin/koha/sci/sci-main.pl" name="auth" id="auth" method="post" autocomplete="off">
                             [% ELSE %]
                                 <form action="[% script_name | html %]" name="auth" id="auth" method="post" autocomplete="off">
-                                    [% INCLUDE 'csrf-token.inc' %]
                             [% END %]
+                                     [% INCLUDE 'csrf-token.inc' %]
                                 <input type="hidden" name="op" value="cud-login" />
                                 <input type="hidden" name="koha_login_context" value="opac" />
 
-- 
2.39.5