mirror of
https://github.com/itflow-org/itflow
synced 2026-03-11 08:14:52 +00:00
Project: Add missing CSRF checks
This commit is contained in:
johnnyq
@@ -14,6 +14,7 @@ ob_start();
|
||||
</button>
|
||||
</div>
|
||||
<form action="post.php" method="post" autocomplete="off">
|
||||
<input type="hidden" name="csrf_token" value="<?= $_SESSION['csrf_token'] ?>">
|
||||
|
||||
<div class="modal-body">
|
||||
|
||||
|
||||
@@ -34,6 +34,7 @@ ob_start();
|
||||
</button>
|
||||
</div>
|
||||
<form action="post.php" method="post" autocomplete="off">
|
||||
<input type="hidden" name="csrf_token" value="<?= $_SESSION['csrf_token'] ?>">
|
||||
<input type="hidden" name="project_id" value="<?php echo $project_id; ?>">
|
||||
<div class="modal-body">
|
||||
<div class="form-group">
|
||||
|
||||
@@ -26,6 +26,7 @@ ob_start();
|
||||
</button>
|
||||
</div>
|
||||
<form action="post.php" method="post" autocomplete="off">
|
||||
<input type="hidden" name="csrf_token" value="<?= $_SESSION['csrf_token'] ?>">
|
||||
<input type="hidden" name="project_id" value="<?php echo $project_id; ?>">
|
||||
<div class="modal-body">
|
||||
|
||||
|
||||
@@ -27,6 +27,7 @@ ob_start();
|
||||
</button>
|
||||
</div>
|
||||
<form action="post.php" method="post" autocomplete="off">
|
||||
<input type="hidden" name="csrf_token" value="<?= $_SESSION['csrf_token'] ?>">
|
||||
<input type="hidden" name="project_id" value="<?php echo $project_id; ?>">
|
||||
<div class="modal-body">
|
||||
|
||||
|
||||
@@ -8,6 +8,8 @@ defined('FROM_POST_HANDLER') || die("Direct file access is not allowed");
|
||||
|
||||
if (isset($_POST['add_project'])) {
|
||||
|
||||
validateCSRFToken($_POST['csrf_token']);
|
||||
|
||||
enforceUserPermission('module_support', 2);
|
||||
|
||||
$project_name = sanitizeInput($_POST['name']);
|
||||
@@ -89,6 +91,8 @@ if (isset($_POST['add_project'])) {
|
||||
|
||||
if (isset($_POST['edit_project'])) {
|
||||
|
||||
validateCSRFToken($_POST['csrf_token']);
|
||||
|
||||
enforceUserPermission('module_support', 2);
|
||||
|
||||
$project_id = intval($_POST['project_id']);
|
||||
@@ -110,6 +114,8 @@ if (isset($_POST['edit_project'])) {
|
||||
|
||||
if (isset($_GET['close_project'])) {
|
||||
|
||||
validateCSRFToken($_GET['csrf_token']);
|
||||
|
||||
enforceUserPermission('module_support', 2);
|
||||
|
||||
$project_id = intval($_GET['close_project']);
|
||||
@@ -132,6 +138,8 @@ if (isset($_GET['close_project'])) {
|
||||
|
||||
if (isset($_GET['archive_project'])) {
|
||||
|
||||
validateCSRFToken($_GET['csrf_token']);
|
||||
|
||||
enforceUserPermission('module_support', 2);
|
||||
|
||||
$project_id = intval($_GET['archive_project']);
|
||||
@@ -154,6 +162,8 @@ if (isset($_GET['archive_project'])) {
|
||||
|
||||
if (isset($_GET['unarchive_project'])) {
|
||||
|
||||
validateCSRFToken($_GET['csrf_token']);
|
||||
|
||||
enforceUserPermission('module_support', 2);
|
||||
|
||||
$project_id = intval($_GET['unarchive_project']);
|
||||
@@ -200,6 +210,8 @@ if (isset($_GET['delete_project'])) {
|
||||
|
||||
if (isset($_POST['link_ticket_to_project'])) {
|
||||
|
||||
validateCSRFToken($_POST['csrf_token']);
|
||||
|
||||
enforceUserPermission('module_support', 2);
|
||||
|
||||
$project_id = intval($_POST['project_id']);
|
||||
@@ -243,6 +255,8 @@ if (isset($_POST['link_ticket_to_project'])) {
|
||||
|
||||
if (isset($_POST['link_closed_ticket_to_project'])) {
|
||||
|
||||
validateCSRFToken($_POST['csrf_token']);
|
||||
|
||||
enforceUserPermission('module_support', 2);
|
||||
|
||||
$project_id = intval($_POST['project_id']);
|
||||
|
||||
@@ -205,7 +205,7 @@ if (isset($_GET['project_id'])) {
|
||||
</div>
|
||||
<?php } ?>
|
||||
<?php if (($tickets_closed_percent == 100 || $tickets_resolved_percent == 100) && empty($project_completed_at)) { ?>
|
||||
<a class="btn btn-dark btn-sm confirm-link" href="post.php?close_project=<?php echo $project_id; ?>">
|
||||
<a class="btn btn-dark btn-sm confirm-link" href="post.php?close_project=<?= $project_id ?>&csrf_token=<?= $_SESSION['csrf_token'] ?>">
|
||||
<i class="fas fa-fw fa-check mr-2"></i>Close
|
||||
</a>
|
||||
<?php } ?>
|
||||
@@ -221,7 +221,7 @@ if (isset($_GET['project_id'])) {
|
||||
</a>
|
||||
<?php } ?>
|
||||
<?php if (!empty($project_completed_at) && empty($project_archived_at) && lookupUserPermission("module_support" >= 2)) { ?>
|
||||
<a class="dropdown-item text-danger text-bold confirm-link" href="post.php?archive_project=<?php echo $project_id; ?>">
|
||||
<a class="dropdown-item text-danger text-bold confirm-link" href="post.php?archive_project=<?= $project_id ?>&csrf_token=<?= $_SESSION['csrf_token'] ?>">
|
||||
<i class="fas fa-fw fa-archive mr-2"></i>Archive
|
||||
</a>
|
||||
<?php } ?>
|
||||
|
||||
@@ -281,16 +281,16 @@ $num_rows = mysqli_fetch_row(mysqli_query($mysqli, "SELECT FOUND_ROWS()"));
|
||||
<?php if (!empty($project_completed_at) && lookupUserPermission("module_support" >= 2)) { ?>
|
||||
<div class="dropdown-divider"></div>
|
||||
<?php if (empty($project_archived_at)) { ?>
|
||||
<a class="dropdown-item text-danger confirm-link" href="post.php?archive_project=<?php echo $project_id; ?>">
|
||||
<a class="dropdown-item text-danger confirm-link" href="post.php?archive_project=<?= $project_id ?>&csrf_token=<?= $_SESSION['csrf_token'] ?>">
|
||||
<i class="fas fa-fw fa-archive mr-2"></i>Archive
|
||||
</a>
|
||||
<?php } else { ?>
|
||||
<a class="dropdown-item text-info confirm-link" href="post.php?unarchive_project=<?php echo $project_id; ?>">
|
||||
<i class="fas fa-fw fa-redo mr-2"></i>Unarchive
|
||||
<a class="dropdown-item text-info confirm-link" href="post.php?restore_project=<?= $project_id ?>&csrf_token=<?= $_SESSION['csrf_token'] ?>">
|
||||
<i class="fas fa-fw fa-redo mr-2"></i>Restore
|
||||
</a>
|
||||
<?php if (lookupUserPermission("module_support" >= 3)) { ?>
|
||||
<div class="dropdown-divider"></div>
|
||||
<a class="dropdown-item text-danger confirm-link" href="post.php?delete_project=<?php echo $project_id; ?>&csrf_token=<?php echo $_SESSION['csrf_token'] ?>">
|
||||
<a class="dropdown-item text-danger confirm-link" href="post.php?delete_project=<?= $project_id ?>&csrf_token=<?= $_SESSION['csrf_token'] ?>">
|
||||
<i class="fas fa-fw fa-archive mr-2"></i>Delete
|
||||
</a>
|
||||
<?php } ?>
|
||||
|
||||
Reference in New Issue
Block a user