Project: Add missing CSRF checks

agent/post/project.php

@@ -8,6 +8,8 @@ defined('FROM_POST_HANDLER') || die("Direct file access is not allowed");
 
 if (isset($_POST['add_project'])) {
 
+    validateCSRFToken($_POST['csrf_token']);
+
     enforceUserPermission('module_support', 2);
 
     $project_name = sanitizeInput($_POST['name']);
@@ -89,6 +91,8 @@ if (isset($_POST['add_project'])) {
 
 if (isset($_POST['edit_project'])) {
 
+    validateCSRFToken($_POST['csrf_token']);
+
     enforceUserPermission('module_support', 2);
 
     $project_id = intval($_POST['project_id']);
@@ -110,6 +114,8 @@ if (isset($_POST['edit_project'])) {
 
 if (isset($_GET['close_project'])) {
 
+    validateCSRFToken($_GET['csrf_token']);
+
     enforceUserPermission('module_support', 2);
 
     $project_id = intval($_GET['close_project']);
@@ -132,6 +138,8 @@ if (isset($_GET['close_project'])) {
 
 if (isset($_GET['archive_project'])) {
 
+    validateCSRFToken($_GET['csrf_token']);
+
     enforceUserPermission('module_support', 2);
 
     $project_id = intval($_GET['archive_project']);
@@ -154,6 +162,8 @@ if (isset($_GET['archive_project'])) {
 
 if (isset($_GET['unarchive_project'])) {
 
+    validateCSRFToken($_GET['csrf_token']);
+
     enforceUserPermission('module_support', 2);
 
     $project_id = intval($_GET['unarchive_project']);
@@ -200,6 +210,8 @@ if (isset($_GET['delete_project'])) {
 
 if (isset($_POST['link_ticket_to_project'])) {
 
+    validateCSRFToken($_POST['csrf_token']);
+
     enforceUserPermission('module_support', 2);
 
     $project_id = intval($_POST['project_id']);
@@ -243,6 +255,8 @@ if (isset($_POST['link_ticket_to_project'])) {
 
 if (isset($_POST['link_closed_ticket_to_project'])) {
 
+    validateCSRFToken($_POST['csrf_token']);
+
     enforceUserPermission('module_support', 2);
 
     $project_id = intval($_POST['project_id']);