diff --git a/agent/credentials.php b/agent/credentials.php index 4e65f9c8..62633e6c 100644 --- a/agent/credentials.php +++ b/agent/credentials.php @@ -244,8 +244,8 @@ $num_rows = mysqli_fetch_row(mysqli_query($mysqli, "SELECT FOUND_ROWS()"));
+
diff --git a/agent/modals/credential/credential_edit.php b/agent/modals/credential/credential_edit.php index f7d47d40..6ad2cdbe 100644 --- a/agent/modals/credential/credential_edit.php +++ b/agent/modals/credential/credential_edit.php @@ -44,6 +44,7 @@ ob_start();
+
diff --git a/agent/modals/credential/credential_export.php b/agent/modals/credential/credential_export.php index cb253be1..954b19af 100644 --- a/agent/modals/credential/credential_export.php +++ b/agent/modals/credential/credential_export.php @@ -15,6 +15,7 @@ ob_start();
+
diff --git a/agent/modals/credential/credential_import.php b/agent/modals/credential/credential_import.php index 8ff68e51..4d3aff0f 100644 --- a/agent/modals/credential/credential_import.php +++ b/agent/modals/credential/credential_import.php @@ -15,6 +15,7 @@ ob_start();
+

Format csv file with headings & data:
Name, Description, Username, Password, TOTP, URI

diff --git a/agent/post/credential.php b/agent/post/credential.php index b69595b1..be0a13c3 100644 --- a/agent/post/credential.php +++ b/agent/post/credential.php @@ -8,6 +8,8 @@ defined('FROM_POST_HANDLER') || die("Direct file access is not allowed"); if (isset($_POST['add_credential'])) { + validateCSRFToken($_POST['csrf_token']); + enforceUserPermission('module_credential', 2); require_once 'credential_model.php'; @@ -34,6 +36,8 @@ if (isset($_POST['add_credential'])) { if (isset($_POST['edit_credential'])) { + validateCSRFToken($_POST['csrf_token']); + enforceUserPermission('module_credential', 2); require_once 'credential_model.php'; @@ -73,6 +77,8 @@ if (isset($_POST['edit_credential'])) { if(isset($_GET['archive_credential'])){ + validateCSRFToken($_GET['csrf_token']); + enforceUserPermission('module_credential', 2); $credential_id = intval($_GET['archive_credential']); @@ -93,11 +99,13 @@ if(isset($_GET['archive_credential'])){ } -if(isset($_GET['unarchive_credential'])){ +if(isset($_GET['restore_credential'])){ + + validateCSRFToken($_GET['csrf_token']); enforceUserPermission('module_credential', 2); - $credential_id = intval($_GET['unarchive_credential']); + $credential_id = intval($_GET['restore_credential']); // Get Name and Client ID for logging and alert message $sql = mysqli_query($mysqli,"SELECT credential_name, credential_client_id FROM credentials WHERE credential_id = $credential_id"); @@ -107,7 +115,7 @@ if(isset($_GET['unarchive_credential'])){ mysqli_query($mysqli,"UPDATE credentials SET credential_archived_at = NULL WHERE credential_id = $credential_id"); - logAction("Credential", "Unarchive", "$session_name unarchived credential $credential_name", $client_id, $credential_id); + logAction("Credential", "Restore", "$session_name restored credential $credential_name", $client_id, $credential_id); flash_alert("Credential $credential_name restored"); @@ -117,6 +125,8 @@ if(isset($_GET['unarchive_credential'])){ if (isset($_GET['delete_credential'])) { + validateCSRFToken($_GET['csrf_token']); + enforceUserPermission('module_credential', 3); $credential_id = intval($_GET['delete_credential']); @@ -139,6 +149,8 @@ if (isset($_GET['delete_credential'])) { if (isset($_POST['bulk_assign_credential_tags'])) { + validateCSRFToken($_POST['csrf_token']); + enforceUserPermission('module_credential', 2); // Assign tags to Selected Credentials @@ -296,7 +308,7 @@ if (isset($_POST['bulk_archive_credentials'])) { } -if (isset($_POST['bulk_unarchive_credentials'])) { +if (isset($_POST['bulk_restore_credentials'])) { validateCSRFToken($_POST['csrf_token']); @@ -307,7 +319,7 @@ if (isset($_POST['bulk_unarchive_credentials'])) { // Get Selected Credential Count $count = count($_POST['credential_ids']); - // Cycle through array and unarchive + // Cycle through array and restore foreach ($_POST['credential_ids'] as $credential_id) { $credential_id = intval($credential_id); @@ -320,13 +332,13 @@ if (isset($_POST['bulk_unarchive_credentials'])) { mysqli_query($mysqli,"UPDATE credentials SET credential_archived_at = NULL WHERE credential_id = $credential_id"); - logAction("Credential", "Unarchive", "$session_name unarchived credential $credential_name", $client_id, $credential_id); + logAction("Credential", "Restore", "$session_name restored credential $credential_name", $client_id, $credential_id); } - logAction("Credential", "Bulk Unarchive", "$session_name unarchived $count credential(s)", $client_id); + logAction("Credential", "Bulk Restore", "$session_name restored $count credential(s)", $client_id); - flash_alert("Unarchived $count credential(s)"); + flash_alert("Restored $count credential(s)"); } @@ -374,6 +386,8 @@ if (isset($_POST['bulk_delete_credentials'])) { if (isset($_POST['export_credentials_csv'])) { + validateCSRFToken($_POST['csrf_token']); + enforceUserPermission('module_credential'); if ($_POST['client_id']) { @@ -431,6 +445,8 @@ if (isset($_POST['export_credentials_csv'])) { if (isset($_POST["import_credentials_csv"])) { + validateCSRFToken($_POST['csrf_token']); + enforceUserPermission('module_credential', 2); $client_id = intval($_POST['client_id']);