From 0342f7d366ebeb0a859ac2aa2eb8a7cecb0858f2 Mon Sep 17 00:00:00 2001
From: Lucas Gass <lucas@bywatersolutions.com>
Date: Thu, 12 Dec 2024 18:32:11 +0000
Subject: [PATCH] Add csrf-token to post forms

---
 .../RoomReservations/bookas.tt                |  6 ++++
 .../RoomReservations/configure.tt             | 31 +++++++++++++++++++
 .../RoomReservations/opac/calendar.tt         |  7 +++++
 .../RoomReservations/tool.tt                  |  6 ++++
 4 files changed, 50 insertions(+)

diff --git a/Koha/Plugin/Com/MarywoodUniversity/RoomReservations/bookas.tt b/Koha/Plugin/Com/MarywoodUniversity/RoomReservations/bookas.tt
index 50c0b09..923aa99 100644
--- a/Koha/Plugin/Com/MarywoodUniversity/RoomReservations/bookas.tt
+++ b/Koha/Plugin/Com/MarywoodUniversity/RoomReservations/bookas.tt
@@ -62,6 +62,7 @@
         }
     </script>
     <form name="availabilitySearchForm" method="post" action="#" onsubmit="return validateAvailabilitySearch()">
+        [% INCLUDE 'csrf-token.inc' %]
         <input type="hidden" name="class" value="[% CLASS %]" />
         <input type="hidden" name="method" value="[% METHOD %]" />
         <input type="hidden" name="borrowernumber" value="[% borrowernumber %]" />
@@ -257,6 +258,7 @@
             }
         </script>
         <form method="post" action="#" onsubmit="return validateAvailabilitySearchResults()">
+        [% INCLUDE 'csrf-token.inc' %]
         <input type="hidden" name="class" value="[% CLASS %]" />
         <input type="hidden" name="method" value="[% METHOD %]" />
         <input type="hidden" name="borrowernumber" value="[% borrowernumber %]" />
@@ -297,6 +299,7 @@
         [% ELSE %]
         <h2 class="no-rooms-match">[% 'No rooms match your criteria!' | gettext %]</h2>
         <form method="post" action="#">
+        [% INCLUDE 'csrf-token.inc' %]
             <input type="hidden" name="op" value="" />
 
             <button>[% 'Click here to try another search' | gettext %]</button>
@@ -304,6 +307,7 @@
         </form>
     [% ELSIF op == 'room-selection-confirmation' %]
         <form method="post" action="#">
+        [% INCLUDE 'csrf-token.inc' %]
             <input type="hidden" name="class" value="[% CLASS %]" />
             <input type="hidden" name="method" value="[% METHOD %]" />
             <input type="hidden" name="borrowernumber" value="[% borrowernumber %]" />
@@ -348,6 +352,7 @@
             </h2>
 
             <form method="post" action="#">
+                [% INCLUDE 'csrf-token.inc' %]
                 <input type="hidden" name="class" value="[% CLASS %]" />
                 <input type="hidden" name="method" value="[% METHOD %]" />
                 <input type="hidden" name="borrowernumber" value="[% borrowernumber %]" />
@@ -360,6 +365,7 @@
             <h3>[% 'An email confirmation has been sent to' | gettext %] [% patron_email %]!</h3>
             [% END %]
             <form method="post" action="#">
+                [% INCLUDE 'csrf-token.inc' %]
                 <input type="hidden" name="class" value="[% CLASS %]" />
                 <input type="hidden" name="method" value="[% METHOD %]" />
                 <input type="hidden" name="borrowernumber" value="[% borrowernumber %]" />
diff --git a/Koha/Plugin/Com/MarywoodUniversity/RoomReservations/configure.tt b/Koha/Plugin/Com/MarywoodUniversity/RoomReservations/configure.tt
index 1b4bc6d..4867fe8 100644
--- a/Koha/Plugin/Com/MarywoodUniversity/RoomReservations/configure.tt
+++ b/Koha/Plugin/Com/MarywoodUniversity/RoomReservations/configure.tt
@@ -82,6 +82,7 @@
 
     [% IF op == '' %]
     <form name="config_actions" method="post" action="#" onsubmit="return validateConfigActions()">
+        [% INCLUDE 'csrf-token.inc' %]
         <input type="hidden" name="class" value="[% CLASS %]" />
         <input type="hidden" name="method" value="[% METHOD %]" />
         <input type="hidden" name="op" value="action-selected" />
@@ -120,6 +121,7 @@
         };
     </script>
     <form method="post" action="#">
+        [% INCLUDE 'csrf-token.inc' %]
         <input type="hidden" name="class" value="[% CLASS %]" />
         <input type="hidden" name="method" value="[% METHOD %]" />
         <input type="hidden" name="op" value="[% action %]" />
@@ -152,6 +154,7 @@
             }
     </script>
     <form method="post" action="#">
+        [% INCLUDE 'csrf-token.inc' %]
         <input type="hidden" name="class" value="[% CLASS %]" />
         <input type="hidden" name="method" value="[% METHOD %]" />
 
@@ -160,6 +163,7 @@
     <br />
     <br />
     <form name="displayRooms" method="post" action="#" onsubmit="return validateDisplayRooms()">
+        [% INCLUDE 'csrf-token.inc' %]
         <input type="hidden" name="class" value="[% CLASS %]" />
         <input type="hidden" name="method" value="[% METHOD %]" />
         <input type="hidden" name="op" value="display-rooms-detail" />
@@ -198,6 +202,7 @@
 
     [% IF op == 'display-rooms-detail' %]
     <form method="post" action="#">
+        [% INCLUDE 'csrf-token.inc' %]
         <input type="hidden" name="class" value="[% CLASS %]" />
         <input type="hidden" name="method" value="[% METHOD %]" />
 
@@ -206,6 +211,7 @@
     <br />
     <br />
     <form method="post" action="#">
+        [% INCLUDE 'csrf-token.inc' %]
         <input type="hidden" name="class" value="[% CLASS %]" />
         <input type="hidden" name="method" value="[% METHOD %]" />
         <input type="hidden" name="op" value="display-rooms" />
@@ -243,6 +249,7 @@
 
     [% IF op == 'max-future-date' %]
         <form method="post" action="#">
+            [% INCLUDE 'csrf-token.inc' %]
             <input type="hidden" name="class" value="[% CLASS %]" />
             <input type="hidden" name="method" value="[% METHOD %]" />
 
@@ -268,6 +275,7 @@
             }
         </script>
         <form name="maxFutureDateForm" method="post" action="#" onsubmit="return validateMaxFutureDate();">
+            [% INCLUDE 'csrf-token.inc' %]
             <input type="hidden" name="class" value="[% CLASS %]" />
             <input type="hidden" name="method" value="[% METHOD %]" />
             <input type="hidden" name="op" value="max-future-date" />
@@ -306,6 +314,7 @@
 
     [% IF op == 'max-time' %]
         <form method="post" action="#">
+            [% INCLUDE 'csrf-token.inc' %]
             <input type="hidden" name="class" value="[% CLASS %]" />
             <input type="hidden" name="method" value="[% METHOD %]" />
 
@@ -326,6 +335,7 @@
             }
         </script>
         <form name="maxTimeForm" method="post" action="#" onsubmit="return validateMaxTime();">
+            [% INCLUDE 'csrf-token.inc' %]
             <input type="hidden" name="class" value="[% CLASS %]" />
             <input type="hidden" name="method" value="[% METHOD %]" />
             <input type="hidden" name="op" value="max-time" />
@@ -400,6 +410,7 @@
 
     [% IF op == 'restrict-daily-reservations-per-patron' %]
         <form method="post" action="#">
+            [% INCLUDE 'csrf-token.inc' %]
             <input type="hidden" name="class" value="[% CLASS %]" />
             <input type="hidden" name="method" value="[% METHOD %]" />
 
@@ -420,6 +431,7 @@
             }
         </script>
         <form name="restrictDailyReservationsForm" method="post" action="#" onsubmit="return validateLimitRestriction();">
+            [% INCLUDE 'csrf-token.inc' %]
             <input type="hidden" name="class" value="[% CLASS %]" />
             <input type="hidden" name="method" value="[% METHOD %]" />
             <input type="hidden" name="op" value="restrict-daily-reservations-per-patron" />
@@ -483,6 +495,7 @@
 
     [% IF op == 'restrict-categories' %]
         <form method="post" action="#">
+            [% INCLUDE 'csrf-token.inc' %]
             <input type="hidden" name="class" value="[% CLASS %]" />
             <input type="hidden" name="method" value="[% METHOD %]" />
 
@@ -503,6 +516,7 @@
             }
         </script>
         <form name="restrictCategoriesForm" method="post" action="#" onsubmit="return validateRestrictCategories();">
+            [% INCLUDE 'csrf-token.inc' %]
             <input type="hidden" name="class" value="[% CLASS %]" />
             <input type="hidden" name="method" value="[% METHOD %]" />
             <input type="hidden" name="op" value="restrict-categories" />
@@ -596,6 +610,7 @@
             }
         </script>
         <form method="post" action="#">
+            [% INCLUDE 'csrf-token.inc' %]
             <input type="hidden" name="class" value="[% CLASS %]" />
             <input type="hidden" name="method" value="[% METHOD %]" />
 
@@ -621,6 +636,7 @@
 
         <!-- TODO: Display table of rooms already added -->
         <form name="addRoomForm" method="post" action="#" onsubmit="return validateAddRooms()">
+            [% INCLUDE 'csrf-token.inc' %]
             <input type="hidden" name="class" value="[% CLASS %]" />
             <input type="hidden" name="method" value="[% METHOD %]" />
             <input type="hidden" name="op" value="add-rooms" />
@@ -681,6 +697,7 @@
             }
         </script>
         <form method="post" action="#">
+            [% INCLUDE 'csrf-token.inc' %]
             <input type="hidden" name="class" value="[% CLASS %]" />
             <input type="hidden" name="method" value="[% METHOD %]" />
 
@@ -689,6 +706,7 @@
         <br />
         <br />
         <form name="editRoomsForm" method="post" action="#" onsubmit="return validateEditRooms()">
+            [% INCLUDE 'csrf-token.inc' %]
             <input type="hidden" name="class" value="[% CLASS %]" />
             <input type="hidden" name="method" value="[% METHOD %]" />
             <input type="hidden" name="op" value="edit-rooms-selection" />
@@ -736,6 +754,7 @@
         };
     </script>
     <form method="post" action="#">
+        [% INCLUDE 'csrf-token.inc' %]
         <input type="hidden" name="class" value="[% CLASS %]" />
         <input type="hidden" name="method" value="[% METHOD %]" />
         <input type="hidden" name="op" value="[% edit_action %]" />
@@ -766,6 +785,7 @@
             }
         </script>
         <form method="post" action="#">
+            [% INCLUDE 'csrf-token.inc' %]
             <input type="hidden" name="class" value="[% CLASS %]" />
             <input type="hidden" name="method" value="[% METHOD %]" />
 
@@ -774,6 +794,7 @@
         <br />
         <br />
         <form method="post" action="#">
+            [% INCLUDE 'csrf-token.inc' %]
             <input type="hidden" name="class" value="[% CLASS %]" />
             <input type="hidden" name="method" value="[% METHOD %]" />
             <input type="hidden" name="op" value="edit-rooms" />
@@ -783,6 +804,7 @@
         <br />
         <br />
         <form name="editRoomDetails" method="post" action="#" onsubmit="return validateEditRoomsRoom()">
+            [% INCLUDE 'csrf-token.inc' %]
             <input type="hidden" name="class" value="[% CLASS %]" />
             <input type="hidden" name="method" value="[% METHOD %]" />
             <input type="hidden" name="op" value="edit-rooms" />
@@ -832,6 +854,7 @@
             }
         </script>
         <form method="post" action="#">
+            [% INCLUDE 'csrf-token.inc' %]
             <input type="hidden" name="class" value="[% CLASS %]" />
             <input type="hidden" name="method" value="[% METHOD %]" />
 
@@ -840,6 +863,7 @@
         <br />
         <br />
         <form method="post" action="#">
+            [% INCLUDE 'csrf-token.inc' %]
             <input type="hidden" name="class" value="[% CLASS %]" />
             <input type="hidden" name="method" value="[% METHOD %]" />
             <input type="hidden" name="op" value="edit-rooms" />
@@ -849,6 +873,7 @@
         <br />
         <br />
         <form name="editRoomEquipment" method="post" action="#" onsubmit="return validateEditRoomsEquipment()">
+            [% INCLUDE 'csrf-token.inc' %]
             <input type="hidden" name="class" value="[% CLASS %]" />
             <input type="hidden" name="method" value="[% METHOD %]" />
             <input type="hidden" name="op" value="edit-rooms" />
@@ -919,6 +944,7 @@
     <br />
     <br />
     <form method="post" action="#">
+        [% INCLUDE 'csrf-token.inc' %]
         <input type="hidden" name="class" value="[% CLASS %]" />
         <input type="hidden" name="method" value="[% METHOD %]" />
 
@@ -927,6 +953,7 @@
     <br />
     <br />
     <form method="post" action="#" onsubmit="return deleteRoomConfirmation()">
+        [% INCLUDE 'csrf-token.inc' %]
         [% IF rooms_available_to_delete == 1 %]
         <input type="hidden" name="class" value="[% CLASS %]" />
         <input type="hidden" name="method" value="[% METHOD %]" />
@@ -973,6 +1000,7 @@
             }
         </script>
     <form method="post" action="#">
+            [% INCLUDE 'csrf-token.inc' %]
             <input type="hidden" name="class" value="[% CLASS %]" />
             <input type="hidden" name="method" value="[% METHOD %]" />
 
@@ -1002,6 +1030,7 @@
     <br />
 
     <form name="addEquipment" method="post" action="#" onsubmit="return validateAddEquipment()">
+        [% INCLUDE 'csrf-token.inc' %]
         <input type="hidden" name="class" value="[% CLASS %]" />
         <input type="hidden" name="method" value="[% METHOD %]" />
         <input type="hidden" name="op" value="add-equipment" />
@@ -1054,6 +1083,7 @@
     <br />
     <br />
     <form method="post" action="#">
+            [% INCLUDE 'csrf-token.inc' %]
             <input type="hidden" name="class" value="[% CLASS %]" />
             <input type="hidden" name="method" value="[% METHOD %]" />
 
@@ -1062,6 +1092,7 @@
         <br />
         <br />
     <form method="post" action="#" onsubmit="return deleteEquipmentConfirmation()">
+        [% INCLUDE 'csrf-token.inc' %]
         <input type="hidden" name="class" value="[% CLASS %]" />
         <input type="hidden" name="method" value="[% METHOD %]" />
         <input type="hidden" name="op" value="delete-equipment" />
diff --git a/Koha/Plugin/Com/MarywoodUniversity/RoomReservations/opac/calendar.tt b/Koha/Plugin/Com/MarywoodUniversity/RoomReservations/opac/calendar.tt
index ffa17d6..23b4112 100644
--- a/Koha/Plugin/Com/MarywoodUniversity/RoomReservations/opac/calendar.tt
+++ b/Koha/Plugin/Com/MarywoodUniversity/RoomReservations/opac/calendar.tt
@@ -473,6 +473,7 @@
                          <tr>
                            <td style="text-align:left" colspan="10">
                              <form method="post" name="book-room" action="#">
+                               [% INCLUDE 'csrf-token.inc' %]
                                <input type="hidden" name="op" value="availability-search" />
                                <input type="submit" name="book-room-btn" value="[% 'Book a Room' | gettext %]" />
                              </form>
@@ -588,6 +589,7 @@
                 <div class="span12">
 
                 <form name="availabilitySearchForm" method="post" action="#" onsubmit="return (validateAvailabilitySearch() && checkExistingBookings())">
+                    [% INCLUDE 'csrf-token.inc' %]
                     <input type="hidden" name="max_days" id="max_days" value="[% max_days %]" />
                     <input type="hidden" name="max_time" id="max_time" value="[% max_time %]" />
                     <table align="center">
@@ -796,6 +798,7 @@
         <div class="row-fluid">
             <div class="span12">
                 <form method="post" action="#" onsubmit="return validateAvailabilitySearchResults()">
+                    [% INCLUDE 'csrf-token.inc' %]
                     <input type="hidden" name="start-date" value="[% start_date %]" />
                 [% IF are_rooms_available == 1 %]
                     <table border="2">
@@ -834,6 +837,7 @@
                 [% ELSE %]
                 <h2 class="no-rooms-match">[% 'No rooms match your criteria!' | gettext %]</h2>
                 <form method="post" action="#">
+                    [% INCLUDE 'csrf-token.inc' %]
                     <input type="hidden" name="op" value="availability-search" />
 
                     <button>[% 'Click here to try another search' | gettext %]</button>
@@ -867,6 +871,7 @@
             <div class="span12">
 
             <form name="confirmationForm" id="confirmationForm" method="post" action="#" onsubmit="return validateConfirmationForm();">
+                [% INCLUDE 'csrf-token.inc' %]
                 <fieldset style="float:left;">
                     <legend>[% 'Confirmation' | gettext %]</legend>
                     <p>[% 'Name:' | gettext %] <input type="text" size="36" value="[% current_user %]" readonly="true" /></p>
@@ -910,6 +915,7 @@
             </h2>
 
             <form method="post" action="#">
+            [% INCLUDE 'csrf-token.inc' %]
 
                 <button>[% 'Click here to search again' | gettext %]</button>
             </form>
@@ -920,6 +926,7 @@
             <h3>[% 'An email confirmation has been sent to' | gettext %] [% patron_email %]!</h3>
             [% END %]
             <form method="post" action="#">
+                [% INCLUDE 'csrf-token.inc' %]
 
                 <button>[% 'Back to calendar' | gettext %]</button>
             </form>
diff --git a/Koha/Plugin/Com/MarywoodUniversity/RoomReservations/tool.tt b/Koha/Plugin/Com/MarywoodUniversity/RoomReservations/tool.tt
index bc2e3a2..6e7ef42 100644
--- a/Koha/Plugin/Com/MarywoodUniversity/RoomReservations/tool.tt
+++ b/Koha/Plugin/Com/MarywoodUniversity/RoomReservations/tool.tt
@@ -53,6 +53,7 @@
         }
     </script>
     <form name="tool_actions" method="post" action="#" onsubmit="return validateAction()">
+        [% INCLUDE 'csrf-token.inc' %]
     	<input type="hidden" name="class" value="[% CLASS %]" />
         <input type="hidden" name="method" value="[% METHOD %]" />
         <input type="hidden" name="op" value="action-selected" />
@@ -83,6 +84,7 @@
         };
     </script>
     <form method="post" action="#">
+        [% INCLUDE 'csrf-token.inc' %]
         <input type="hidden" name="class" value="[% CLASS %]" />
         <input type="hidden" name="method" value="[% METHOD %]" />
         <input type="hidden" name="op" value="[% action %]" />
@@ -121,6 +123,7 @@
     </script>
     <!-- TODO: add JS validation to check only one action item is selected - if (count > 1) -->
     <form name="manageBookingsForm" method="post" action="#" onsubmit="return validateBookingAction()">
+        [% INCLUDE 'csrf-token.inc' %]
     	<input type="hidden" name="class" value="[% CLASS %]" />
         <input type="hidden" name="method" value="[% METHOD %]" />
 	    <input type="hidden" name="op" value="manage-reservations" />
@@ -210,6 +213,7 @@
         }
     </script>
     <form name="manageBlackoutsForm" action="#" method="post" onsubmit="return validateManageBlackouts()">
+        [% INCLUDE 'csrf-token.inc' %]
         <input type="hidden" name="class" value="[% CLASS %]" />
         <input type="hidden" name="method" value="[% METHOD %]" />
         <input type="hidden" name="op" value="manage-blackouts" />
@@ -353,6 +357,7 @@
     </script>
     <div id="full-blackout">
     <form action="#" name="fullBlackoutForm" method="post" onsubmit="return validateFullBlackout();">
+        [% INCLUDE 'csrf-token.inc' %]
         <input type="hidden" name="class" value="[% CLASS %]" />
         <input type="hidden" name="method" value="[% METHOD %]" />
         <input type="hidden" name="op" value="manage-blackouts" />
@@ -449,6 +454,7 @@
     </script>
     <div id="partial-blackout">
     <form action="#" name="partialBlackoutForm" method="post" onsubmit="return validatePartialBlackout();">
+        [% INCLUDE 'csrf-token.inc' %]
         <input type="hidden" name="class" value="[% CLASS %]" />
         <input type="hidden" name="method" value="[% METHOD %]" />
         <input type="hidden" name="op" value="manage-blackouts" />