From e7e5a54dc897a3fa08722ce268862ff2aecae23e Mon Sep 17 00:00:00 2001
From: Amit Gupta <amit.gupta@informaticsglobal.com>
Date: Wed, 22 Jan 2020 21:37:22 +0530
Subject: [PATCH] Bug 22990: Add CSRF protection to boraccount, pay and
 suggestion

Signed-off-by: David Cook <dcook@prosentient.com.au>

Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl>
Test plan would have been nioe.
Tested by changing MAX_AGE with suggestions.

Bug 22990: Fix for shelves table

Signed-off-by: David Cook <dcook@prosentient.com.au>

Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl>

Bug 22990: Fix template toolkit syntax issues in shelves_results.tt

Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl>

Bug 22990: (follow-up) Fix suggestion.pl

Signed-off-by: Tomas Cohen Arazi <tomascohen@theke.io>
---
 .../prog/en/modules/members/boraccount.tt         | 11 +++++++----
 .../intranet-tmpl/prog/en/modules/members/pay.tt  |  1 +
 .../prog/en/modules/suggestion/suggestion.tt      | 15 +++++++++------
 .../prog/en/modules/virtualshelves/shelves.tt     |  4 +++-
 .../virtualshelves/tables/shelves_results.tt      |  3 +++
 members/boraccount.pl                             | 15 ++++++++++-----
 members/pay.pl                                    |  8 ++++++++
 suggestion/suggestion.pl                          | 10 +++++++---
 virtualshelves/shelves.pl                         |  8 +++++++-
 9 files changed, 55 insertions(+), 20 deletions(-)

diff --git a/koha-tmpl/intranet-tmpl/prog/en/modules/members/boraccount.tt b/koha-tmpl/intranet-tmpl/prog/en/modules/members/boraccount.tt
index aa12bb985a..7480384ae0 100644
--- a/koha-tmpl/intranet-tmpl/prog/en/modules/members/boraccount.tt
+++ b/koha-tmpl/intranet-tmpl/prog/en/modules/members/boraccount.tt
@@ -45,7 +45,7 @@
 
 [% INCLUDE 'members-toolbar.inc' %]
 <h1>Account for [% INCLUDE 'patron-title.inc' %]</h1>
-<form action="/cgi-bin/koha/members/boraccount.pl" method="get"><input type="hidden" name="borrowernumber" id="borrowernumber" value="[% patron.borrowernumber | html %]" /></form>
+<form action="/cgi-bin/koha/members/boraccount.pl" method="get">[% INCLUDE 'csrf-token.inc' %]<input type="hidden" name="borrowernumber" id="borrowernumber" value="[% patron.borrowernumber | html %]" /></form>
 
 <!-- The manual invoice and credit buttons -->
 <div class="statictabs">
@@ -112,14 +112,14 @@
         [% END %]
         <a href="accountline-details.pl?accountlines_id=[% account.accountlines_id | uri %]" class="btn btn-default btn-xs details-action"><i class="fa fa-list"></i> Details</a>
         [% IF account.is_debit && account.amountoutstanding > 0 %]
-            <a class="btn btn-default btn-xs pay-action" href="/cgi-bin/koha/members/paycollect.pl?borrowernumber=[% account.borrowernumber | html %]&pay_individual=1&debit_type_code=[% account.debit_type_code | html %]&amount=[% account.amount | html %]&amountoutstanding=[% account.amountoutstanding | html %]&description=[% account.description | html %]&itemnumber=[% account.itemnumber | html %]&accountlines_id=[% account.accountlines_id | html %]"><i class="fa fa-money"></i> Pay</a>
+            <a class="btn btn-default btn-xs pay-action" href="/cgi-bin/koha/members/paycollect.pl?borrowernumber=[% account.borrowernumber | html %]&pay_individual=1&debit_type_code=[% account.debit_type_code | html %]&amount=[% account.amount | html %]&amountoutstanding=[% account.amountoutstanding | html %]&description=[% account.description | html %]&itemnumber=[% account.itemnumber | html %]&accountlines_id=[% account.accountlines_id | html %]&amp;csrf_token=[% csrf_token | html %]"><i class="fa fa-money"></i> Pay</a>
         [% END %]
         [% IF account.is_credit && account.status != 'VOID' %]
-          <a href="boraccount.pl?action=void&amp;accountlines_id=[% account.accountlines_id | uri %]&amp;borrowernumber=[% account.borrowernumber | uri %]" class="btn btn-default btn-xs void-action"><i class="fa fa-ban"></i> Void payment</a>
+          <a href="boraccount.pl?action=void&amp;accountlines_id=[% account.accountlines_id | uri %]&amp;borrowernumber=[% account.borrowernumber | uri %]&amp;csrf_token=[% csrf_token | uri %]" class="btn btn-default btn-xs void-action"><i class="fa fa-ban"></i> Void payment</a>
         [% END %]
         [% IF account.is_debit && account.amount == account.amountoutstanding && account.status != 'CANCELLED' && !(account.debit_type_code == 'PAYOUT') %]
           <form method="post" action="/cgi-bin/koha/members/cancel-charge.pl">
-            <input type="hidden" name="csrf_token" value="[% csrf_token | html %]">
+            [% INCLUDE 'csrf-token.inc' %]
             <input type="hidden" name="borrowernumber" value="[% patron.borrowernumber | html %]">
             <input type="hidden" name="accountlines_id" value="[% account.accountlines_id | html %]">
             <button type="submit" class="btn btn-default btn-xs cancel-action">
@@ -174,6 +174,7 @@
     <!-- Issue payout modal -->
     <div class="modal" id="issuePayoutModal" tabindex="-1" role="dialog" aria-labelledby="issuePayoutLabel">
         <form  id="payout_form" action="/cgi-bin/koha/members/boraccount.pl" method="get" enctype="multipart/form-data" class="validated">
+            [% INCLUDE 'csrf-token.inc' %]
             <input type="hidden" name="accountlines_id" value="" id="payoutline">
             <input type="hidden" name="action" value="payout">
             <input type="hidden" name="borrowernumber" value="[% account.borrowernumber | html %]">
@@ -228,6 +229,7 @@
     <!-- Issue refund modal -->
     <div class="modal" id="issueRefundModal" tabindex="-1" role="dialog" aria-labelledby="issueRefundLabel">
         <form  id="refund_form" action="/cgi-bin/koha/members/boraccount.pl" method="get" enctype="multipart/form-data" class="validated">
+            [% INCLUDE 'csrf-token.inc' %]
             <input type="hidden" name="accountlines_id" value="" id="refundline">
             <input type="hidden" name="action" value="refund">
             <input type="hidden" name="borrowernumber" value="[% account.borrowernumber | html %]">
@@ -285,6 +287,7 @@
     <!-- Apply discount modal -->
     <div class="modal" id="applyDiscountModal" tabindex="-1" role="dialog" aria-labelledby="applyDiscountLabel">
         <form  id="discount_form" action="/cgi-bin/koha/members/boraccount.pl" method="get" enctype="multipart/form-data" class="validated">
+            [% INCLUDE 'csrf-token.inc' %]
             <input type="hidden" name="accountlines_id" value="" id="discountline">
             <input type="hidden" name="action" value="discount">
             <input type="hidden" name="borrowernumber" value="[% account.borrowernumber | html %]">
diff --git a/koha-tmpl/intranet-tmpl/prog/en/modules/members/pay.tt b/koha-tmpl/intranet-tmpl/prog/en/modules/members/pay.tt
index d5bb5b5117..cbc810e6f2 100644
--- a/koha-tmpl/intranet-tmpl/prog/en/modules/members/pay.tt
+++ b/koha-tmpl/intranet-tmpl/prog/en/modules/members/pay.tt
@@ -56,6 +56,7 @@
 [% IF ( accounts ) %]
     <form action="/cgi-bin/koha/members/pay.pl" method="post" id="pay-fines-form">
     <input type="hidden" name="borrowernumber" id="borrowernumber" value="[% patron.borrowernumber | html %]" />
+    [% INCLUDE 'csrf-token.inc' %]
 <p><span class="checkall"><a id="CheckAll" href="#"><i class="fa fa-check"></i> Select all</a></span> | <span class="clearall"><a id="CheckNone" href="#"><i class="fa fa-remove"></i> Clear all</a></span></p>
 <table id="finest">
 <thead>
diff --git a/koha-tmpl/intranet-tmpl/prog/en/modules/suggestion/suggestion.tt b/koha-tmpl/intranet-tmpl/prog/en/modules/suggestion/suggestion.tt
index 8a3fec4128..9ec154bd9e 100644
--- a/koha-tmpl/intranet-tmpl/prog/en/modules/suggestion/suggestion.tt
+++ b/koha-tmpl/intranet-tmpl/prog/en/modules/suggestion/suggestion.tt
@@ -104,6 +104,8 @@
         </ol>
     </nav> <!-- /.breadcrumbs -->
 
+    [% INCLUDE 'blocking_errors.inc' %]
+
     [% IF ( op == 'show' ) %]
         <div class="main container-fluid">
             <div class="row">
@@ -345,6 +347,7 @@
             [% END %]
 
             <form id="add_edit" action="suggestion.pl" method="post" class="validated">
+                [% INCLUDE 'csrf-token.inc' %]
                 <input type="hidden" name="redirect" id="redirect" value="[% redirect | html %]" />
                 <input type="hidden" name="borrowernumber" id="borrowernumber" value="[% borrowernumber | html %]" />
                 [% IF ( suggestionid ) %]
@@ -707,17 +710,16 @@
                                     <span>No name</span>
                                 [% END %]
                             [% END %]
-                            ([% suggestion.suggestions_loop.size | html %])
-                            </a>
-                            </li>
+                            ([% suggestion.suggestions_loop.size | html %])</a></li>
                         [% END # /FOREACH suggestion %]
                     </ul> <!-- /.ui-tabs-nav -->
                     <div class="tab-content">
             [% END # /UNLESS notabs %]
 
-                [% FOREACH suggestion IN suggestions %]
-                    <div id="[% suggestion.suggestiontype | html %]" role="tabpanel" class="tab-pane">
-                        <form class="update_suggestions" name="f" method="post" action="/cgi-bin/koha/suggestion/suggestion.pl#[% suggestion.suggestiontype| uri %]">
+            [% FOREACH suggestion IN suggestions %]
+                <div id="[% suggestion.suggestiontype | html %]">
+                    <form class="update_suggestions" name="f" method="post" action="/cgi-bin/koha/suggestion/suggestion.pl#[% suggestion.suggestiontype| uri %]">
+                        [% INCLUDE 'csrf-token.inc' %]
 
                             [% IF ( suggestion.suggestions_loop ) %]
                                 <p>
@@ -991,6 +993,7 @@
                 <div class="col-sm-2 col-sm-pull-10">
                     <aside>
                         <form name="suggestionfilter" action="suggestion.pl" method="get">
+                            [% INCLUDE 'csrf-token.inc' %]
                             <input type="hidden" name="branchcode" value="[% branchfilter | html %]" />
                             <fieldset class="brief">
                                 <ol style="display:block;">
diff --git a/koha-tmpl/intranet-tmpl/prog/en/modules/virtualshelves/shelves.tt b/koha-tmpl/intranet-tmpl/prog/en/modules/virtualshelves/shelves.tt
index e34cc1cedd..f9b2bad616 100644
--- a/koha-tmpl/intranet-tmpl/prog/en/modules/virtualshelves/shelves.tt
+++ b/koha-tmpl/intranet-tmpl/prog/en/modules/virtualshelves/shelves.tt
@@ -188,6 +188,7 @@
     [% IF itemsloop %]
     <div class="pages">[% pagination_bar | $raw %]</div>
     <form action="/cgi-bin/koha/virtualshelves/shelves.pl" id="listform" method="post">
+        [% INCLUDE 'csrf-token.inc' %]
         <input type="hidden" name="op" value="remove_biblios" />
         <input type="hidden" name="referer" value="view" />
         <input type="hidden" name="shelfnumber" value="[% shelf.shelfnumber | html %]" />
@@ -203,7 +204,6 @@
     <div id="searchheader" class="searchheader noprint">
         <div id="selection_ops"><span class="checkall"></span> |
         <span class="clearall"></span>
-
         <span class="addto">| </span>
         &nbsp;
         [% IF CAN_user_reserveforothers && Koha.Preference('DisplayMultiPlaceHold') %]
@@ -316,6 +316,7 @@
 [% IF op == 'add_form' OR op == 'edit_form' %]
 
     <form method="post" action="/cgi-bin/koha/virtualshelves/shelves.pl" class="validated">
+        [% INCLUDE 'csrf-token.inc' %]
         <fieldset class="rows">
 
         [% IF op == 'add_form' %]
@@ -449,6 +450,7 @@
     <div class="modal" id="addToList" tabindex="-1" role="dialog" aria-labelledby="addToListLabel">
         <div class="modal-dialog" role="document">
             <form action="/cgi-bin/koha/virtualshelves/shelves.pl" method="post">
+                [% INCLUDE 'csrf-token.inc' %]
                 <div class="modal-content">
                     <div class="modal-header">
                         <button type="button" class="closebtn" data-dismiss="modal" aria-label="Close"><span aria-hidden="true">&times;</span></button>
diff --git a/koha-tmpl/intranet-tmpl/prog/en/modules/virtualshelves/tables/shelves_results.tt b/koha-tmpl/intranet-tmpl/prog/en/modules/virtualshelves/tables/shelves_results.tt
index fa89225653..29d872e9c1 100644
--- a/koha-tmpl/intranet-tmpl/prog/en/modules/virtualshelves/tables/shelves_results.tt
+++ b/koha-tmpl/intranet-tmpl/prog/en/modules/virtualshelves/tables/shelves_results.tt
@@ -39,6 +39,7 @@
     [%~ public      = public | html ~%]
     [%~ IF can_manage_shelf ~%]
         [%~ action_block =                '<form action="shelves.pl" method="get">' ~%]
+        [%~ action_block = BLOCK ~%][%~ action_block | $raw ~%][%~ INCLUDE 'csrf-token.inc' | trim ~%][%~ END ~%]
         [%~ action_block = action_block _ '<input type="hidden" name="shelfnumber" value="' _ shelfnumber  _ '" />' ~%]
         [%~ action_block = action_block _ '<input type="hidden" name="op" value="edit_form" />' ~%]
         [%~ action_block = action_block _ '<input type="hidden" name="public" value="' _ public _ '" />' ~%]
@@ -48,6 +49,7 @@
     [%~ END ~%]
     [%~ IF can_manage_shelf OR can_delete_shelf ~%]
         [%~ action_block = action_block _ ' <form action="shelves.pl" method="post">' ~%]
+        [%~ action_block = BLOCK ~%][%~ action_block | $raw ~%][%~ INCLUDE 'csrf-token.inc' | trim ~%][%~ END ~%]
         [%~ action_block = action_block _ '<input type="hidden" name="shelves" value="1" />' ~%]
         [%~ action_block = action_block _ '<input type="hidden" name="op" value="delete" />' ~%]
         [%~ action_block = action_block _ '<input type="hidden" name="shelfnumber" value="' _ shelfnumber  _ '" />' ~%]
@@ -60,4 +62,5 @@
     [%~ SET action_block = 'None' ~%]
 [%~ END ~%]
 [%~ To.json(action_block) | $raw ~%]
+
 [%~ END ~%]
diff --git a/members/boraccount.pl b/members/boraccount.pl
index 83fa43bf65..d04b520559 100755
--- a/members/boraccount.pl
+++ b/members/boraccount.pl
@@ -69,6 +69,7 @@ output_and_exit_if_error( $input, $cookie, $template, { module => 'members', log
 my $registerid = $input->param('registerid');
 
 if ( $action eq 'void' ) {
+    output_and_exit_if_error($input, $cookie, $template, { check => 'csrf_token' });
     my $payment_id = scalar $input->param('accountlines_id');
     my $payment    = Koha::Account::Lines->find( $payment_id );
     $payment->void(
@@ -81,8 +82,10 @@ if ( $action eq 'void' ) {
 }
 
 if ( $action eq 'payout' ) {
-    my $payment_id       = scalar $input->param('accountlines_id');
-    my $amount           = scalar $input->param('amount');
+    output_and_exit_if_error($input, $cookie, $template, { check => 'csrf_token' });
+    my $payment_id  = scalar $input->param('accountlines_id');
+    my $payment     = Koha::Account::Lines->find($payment_id);
+    my $amount      = scalar $input->param('amount');
     my $payout_type = scalar $input->param('payout_type');
     if ( $payment_id eq "" ) {
         $schema->txn_do(
@@ -119,9 +122,10 @@ if ( $action eq 'payout' ) {
 }
 
 if ( $action eq 'refund' ) {
-    my $charge_id        = scalar $input->param('accountlines_id');
-    my $charge           = Koha::Account::Lines->find($charge_id);
-    my $amount           = scalar $input->param('amount');
+    output_and_exit_if_error($input, $cookie, $template, { check => 'csrf_token' });
+    my $charge_id   = scalar $input->param('accountlines_id');
+    my $charge      = Koha::Account::Lines->find($charge_id);
+    my $amount      = scalar $input->param('amount');
     my $refund_type = scalar $input->param('refund_type');
     $schema->txn_do(
         sub {
@@ -152,6 +156,7 @@ if ( $action eq 'refund' ) {
 }
 
 if ( $action eq 'discount' ) {
+    output_and_exit_if_error($input, $cookie, $template, { check => 'csrf_token' });
     my $charge_id        = scalar $input->param('accountlines_id');
     my $charge           = Koha::Account::Lines->find($charge_id);
     my $amount           = scalar $input->param('amount');
diff --git a/members/pay.pl b/members/pay.pl
index 27181164ad..adc34b37c3 100755
--- a/members/pay.pl
+++ b/members/pay.pl
@@ -77,22 +77,28 @@ $user ||= q{};
 our $branch = C4::Context->userenv->{'branch'};
 
 if ( $input->param('paycollect') ) {
+    output_and_exit_if_error($input, $cookie, $template, { check => 'csrf_token' });
     print $input->redirect(
         "/cgi-bin/koha/members/paycollect.pl?borrowernumber=$borrowernumber&change_given=$change_given");
 }
 elsif ( $input->param('payselected') ) {
+    output_and_exit_if_error($input, $cookie, $template, { check => 'csrf_token' });
     payselected({ params => \@names });
 }
 elsif ( $input->param('writeoff_selected') ) {
+    output_and_exit_if_error($input, $cookie, $template, { check => 'csrf_token' });
     payselected({ params => \@names, type => 'WRITEOFF' });
 }
 elsif ( $input->param('woall') ) {
+    output_and_exit_if_error($input, $cookie, $template, { check => 'csrf_token' });
     writeoff_all(@names);
 }
 elsif ( $input->param('apply_credits') ) {
+    output_and_exit_if_error($input, $cookie, $template, { check => 'csrf_token' });
     apply_credits({ patron => $patron, cgi => $input });
 }
 elsif ( $input->param('confirm_writeoff') ) {
+    output_and_exit_if_error($input, $cookie, $template, { check => 'csrf_token' });
     my $item_id         = $input->param('itemnumber');
     my $accountlines_id = $input->param('accountlines_id');
     my $amount          = $input->param('amountwrittenoff');
@@ -129,9 +135,11 @@ elsif ( $input->param('confirm_writeoff') ) {
 
 for (@names) {
     if (/^pay_indiv_(\d+)$/) {
+        output_and_exit_if_error($input, $cookie, $template, { check => 'csrf_token' });
         my $line_no = $1;
         redirect_to_paycollect( 'pay_individual', $line_no );
     } elsif (/^wo_indiv_(\d+)$/) {
+        output_and_exit_if_error($input, $cookie, $template, { check => 'csrf_token' });
         my $line_no = $1;
         redirect_to_paycollect( 'writeoff_individual', $line_no );
     }
diff --git a/suggestion/suggestion.pl b/suggestion/suggestion.pl
index 12eb39f017..8278a3f691 100755
--- a/suggestion/suggestion.pl
+++ b/suggestion/suggestion.pl
@@ -21,7 +21,7 @@ use Modern::Perl;
 require Exporter;
 use CGI qw ( -utf8 );
 use C4::Auth qw( get_template_and_user );
-use C4::Output qw( output_html_with_http_headers );
+use C4::Output qw( output_html_with_http_headers output_and_exit_if_error );
 use C4::Suggestions;
 use C4::Koha qw( GetAuthorisedValues );
 use C4::Budgets qw( GetBudget GetBudgets GetBudgetHierarchy CanUserUseBudget );
@@ -98,6 +98,7 @@ my $reasonsloop     = GetAuthorisedValues("SUGGEST");
 
 # filter informations which are not suggestion related.
 my $suggestion_ref  = { %{$input->Vars} }; # Copying, otherwise $input will be modified
+delete $suggestion_ref->{csrf_token};
 
 # get only the columns of Suggestion
 my $schema = Koha::Database->new()->schema;
@@ -127,6 +128,7 @@ my $branchfilter = $input->param('branchcode') || C4::Context->userenv->{'branch
 ##
 
 if ( $op =~ /save/i ) {
+    output_and_exit_if_error($input, $cookie, $template, { check => 'csrf_token' });
     my @messages;
     my $biblio = MarcRecordFromNewSuggestion({
             title => $suggestion_only->{title},
@@ -243,7 +245,8 @@ elsif ($op=~/add/) {
     $op ='save';
 }
 elsif ($op=~/edit/) {
-    #Edit suggestion  
+    #Edit suggestion
+    output_and_exit_if_error($input, $cookie, $template, { check => 'csrf_token' });
     $suggestion_ref=&GetSuggestion($$suggestion_ref{'suggestionid'});
     $suggestion_ref->{reasonsloop} = $reasonsloop;
     my $other_reason = 1;
@@ -258,7 +261,7 @@ elsif ($op=~/edit/) {
     $op ='save';
 }  
 elsif ($op eq "update_status" ) {
-
+    output_and_exit_if_error($input, $cookie, $template, { check => 'csrf_token' });
     my $suggestion;
     # set accepted/rejected/managed informations if applicable
     # ie= if the librarian has chosen some action on the suggestions
@@ -295,6 +298,7 @@ elsif ($op eq "update_status" ) {
     }
     redirect_with_params($input);
 }elsif ($op eq "delete" ) {
+    output_and_exit_if_error($input, $cookie, $template, { check => 'csrf_token' });
     foreach my $delete_field (@editsuggestions) {
         &DelSuggestion( $borrowernumber, $delete_field,'intranet' );
     }
diff --git a/virtualshelves/shelves.pl b/virtualshelves/shelves.pl
index 66947f925b..7df9d35db7 100755
--- a/virtualshelves/shelves.pl
+++ b/virtualshelves/shelves.pl
@@ -30,7 +30,7 @@ use C4::Koha qw(
 );
 use C4::Items qw( GetItemsLocationInfo );
 use C4::Members;
-use C4::Output qw( pagination_bar output_html_with_http_headers );
+use C4::Output qw( pagination_bar output_html_with_http_headers output_and_exit_if_error );
 use C4::XSLT qw( XSLTParse4Display );
 
 use Koha::Biblios;
@@ -63,6 +63,7 @@ if ( $op eq 'add_form' ) {
     # Only pass default
     $shelf = { allow_change_from_owner => 1 };
 } elsif ( $op eq 'edit_form' ) {
+    output_and_exit_if_error($query, $cookie, $template, { check => 'csrf_token' });
     $shelfnumber = $query->param('shelfnumber');
     $shelf       = Koha::Virtualshelves->find($shelfnumber);
 
@@ -78,6 +79,7 @@ if ( $op eq 'add_form' ) {
         push @messages, { type => 'alert', code => 'does_not_exist' };
     }
 } elsif ( $op eq 'add' ) {
+    output_and_exit_if_error($query, $cookie, $template, { check => 'csrf_token' });
     my $allow_changes_from = $query->param('allow_changes_from');
     eval {
         $shelf = Koha::Virtualshelf->new(
@@ -103,6 +105,7 @@ if ( $op eq 'add_form' ) {
         $op = 'view';
     }
 } elsif ( $op eq 'edit' ) {
+    output_and_exit_if_error($query, $cookie, $template, { check => 'csrf_token' });
     $shelfnumber = $query->param('shelfnumber');
     $shelf       = Koha::Virtualshelves->find($shelfnumber);
 
@@ -133,6 +136,7 @@ if ( $op eq 'add_form' ) {
         push @messages, { type => 'alert', code => 'does_not_exist' };
     }
 } elsif ( $op eq 'delete' ) {
+    output_and_exit_if_error($query, $cookie, $template, { check => 'csrf_token' });
     $shelfnumber = $query->param('shelfnumber');
     $shelf       = Koha::Virtualshelves->find($shelfnumber);
     if ($shelf) {
@@ -151,6 +155,7 @@ if ( $op eq 'add_form' ) {
     }
     $op = 'list';
 } elsif ( $op eq 'add_biblio' ) {
+    output_and_exit_if_error($query, $cookie, $template, { check => 'csrf_token' });
     $shelfnumber = $query->param('shelfnumber');
     $shelf = Koha::Virtualshelves->find($shelfnumber);
     if ($shelf) {
@@ -207,6 +212,7 @@ if ( $op eq 'add_form' ) {
     }
     $op = $referer;
 } elsif ( $op eq 'remove_biblios' ) {
+    output_and_exit_if_error($query, $cookie, $template, { check => 'csrf_token' });
     $shelfnumber = $query->param('shelfnumber');
     $shelf = Koha::Virtualshelves->find($shelfnumber);
     my @biblionumbers = $query->multi_param('biblionumber');
-- 
2.39.5