From 805f06fe313c350a66838ee8cfab757e83229515 Mon Sep 17 00:00:00 2001
From: Laurent Destailleur <eldy@destailleur.fr>
Date: Wed, 30 Sep 2020 12:54:05 +0200
Subject: [PATCH] Add token for GET on page to setup journal.

---
 htdocs/accountancy/admin/journals_list.php | 8 +++++---
 1 file changed, 5 insertions(+), 3 deletions(-)

diff --git a/htdocs/accountancy/admin/journals_list.php b/htdocs/accountancy/admin/journals_list.php
index a09a38c959c..687ca02c91d 100644
--- a/htdocs/accountancy/admin/journals_list.php
+++ b/htdocs/accountancy/admin/journals_list.php
@@ -22,6 +22,8 @@
  * \brief		Setup page to configure journals
  */
 
+if (! defined('CSRFCHECK_WITH_TOKEN'))     define('CSRFCHECK_WITH_TOKEN','1');		// Force use of CSRF protection with tokens even for GET
+
 require '../../main.inc.php';
 require_once DOL_DOCUMENT_ROOT.'/core/class/html.formadmin.class.php';
 require_once DOL_DOCUMENT_ROOT.'/core/class/html.formcompany.class.php';
@@ -636,19 +638,19 @@ if ($id)
 
 					// Active
 					print '<td class="nowrap center">';
-					if ($canbedisabled) print '<a href="'.$url.'action='.$acts[$obj->active].'">'.$actl[$obj->active].'</a>';
+					if ($canbedisabled) print '<a href="'.$url.'action='.$acts[$obj->active].'&token='.newToken().'">'.$actl[$obj->active].'</a>';
 					else print $langs->trans("AlwaysActive");
 					print "</td>";
 
 					// Modify link
-					if ($canbemodified) print '<td class="center"><a class="reposition editfielda" href="'.$url.'action=edit">'.img_edit().'</a></td>';
+					if ($canbemodified) print '<td class="center"><a class="reposition editfielda" href="'.$url.'action=edit&token='.newToken().'">'.img_edit().'</a></td>';
 					else print '<td>&nbsp;</td>';
 
 					// Delete link
 					if ($iserasable)
 					{
 						print '<td class="center">';
-						if ($user->admin) print '<a href="'.$url.'action=delete">'.img_delete().'</a>';
+						if ($user->admin) print '<a href="'.$url.'action=delete&token='.newToken().'">'.img_delete().'</a>';
 						//else print '<a href="#">'.img_delete().'</a>';    // Some dictionary can be edited by other profile than admin
 						print '</td>';
 					} else print '<td>&nbsp;</td>';