-<form enctype="multipart/form-data" action="photo/change" method="post">
- {if ($session.promo ge 1995) || ($session.promo le 2002)}
+<form enctype="multipart/form-data" action="photo/change/{$hrpid}" method="post">
+ {xsrf_token_field}
+ {assign var="profile" value=$smarty.session.user->profile()}
+ {if $profile && (($profile->yearpromo() ge 1995) || ($profile->yearpromo() le 2002))}