Expenses: Add missing CSRF, Add missing perms

2026-03-11 08:14:52 +00:00 · 2026-03-02 17:27:56 -05:00
parent 5b49908438
commit 1d5fceeecd
6 changed files with 38 additions and 5 deletions
--- a/agent/expenses.php
+++ b/agent/expenses.php
@@ -336,7 +336,7 @@ $num_rows = mysqli_fetch_row(mysqli_query($mysqli, "SELECT FOUND_ROWS()"));
                                            <i class="fas fa-fw fa-undo-alt mr-2"></i>Refund
                                        </a>
                                        <div class="dropdown-divider"></div>
-                                        <a class="dropdown-item text-danger text-bold confirm-link" href="post.php?delete_expense=<?php echo $expense_id; ?>">
+                                        <a class="dropdown-item text-danger text-bold confirm-link" href="post.php?delete_expense=<?= $expense_id ?>&csrf_token=<?= $_SESSION['csrf_token'] ?>">
                                            <i class="fas fa-fw fa-trash mr-2"></i>Delete
                                        </a>
                                    </div>
--- a/agent/modals/expense/expense_add.php
+++ b/agent/modals/expense/expense_add.php
@@ -14,6 +14,7 @@ ob_start();
    </button>
 </div>
 <form action="post.php" method="post" enctype="multipart/form-data" autocomplete="off">
+    <input type="hidden" name="csrf_token" value="<?= $_SESSION['csrf_token'] ?>">
    <div class="modal-body">

        <div class="form-row">
--- a/agent/modals/expense/expense_copy.php
+++ b/agent/modals/expense/expense_copy.php
@@ -31,6 +31,7 @@ ob_start();
 </div>

 <form action="post.php" method="post" enctype="multipart/form-data" autocomplete="off">
+    <input type="hidden" name="csrf_token" value="<?= $_SESSION['csrf_token'] ?>">
    <div class="modal-body">
        <div class="form-row">

--- a/agent/modals/expense/expense_export.php
+++ b/agent/modals/expense/expense_export.php
@@ -13,6 +13,7 @@ ob_start();
    </button>
 </div>
 <form action="post.php" method="post" autocomplete="off">
+    <input type="hidden" name="csrf_token" value="<?= $_SESSION['csrf_token'] ?>">

    <div class="modal-body">

--- a/agent/modals/expense/expense_refund.php
+++ b/agent/modals/expense/expense_refund.php
@@ -31,10 +31,12 @@ ob_start();
 </div>

 <form action="post.php" method="post" autocomplete="off">
+    <input type="hidden" name="csrf_token" value="<?= $_SESSION['csrf_token'] ?>">
+    <input type="hidden" name="account" value="<?php echo $expense_account_id; ?>">
+    <input type="hidden" name="vendor" value="<?php echo $expense_vendor_id; ?>">
+    <input type="hidden" name="category" value="<?php echo $expense_category_id; ?>">
+
    <div class="modal-body">
-        <input type="hidden" name="account" value="<?php echo $expense_account_id; ?>">
-        <input type="hidden" name="vendor" value="<?php echo $expense_vendor_id; ?>">
-        <input type="hidden" name="category" value="<?php echo $expense_category_id; ?>">

        <div class="form-row">

--- a/agent/post/expense.php
+++ b/agent/post/expense.php
@@ -8,6 +8,10 @@ defined('FROM_POST_HANDLER') || die("Direct file access is not allowed");

 if (isset($_POST['add_expense'])) {

+    validateCSRFToken($_POST['csrf_token']);
+
+    enforceUserPermission('module_financial', 2);
+
    require_once 'expense_model.php';

    mysqli_query($mysqli,"INSERT INTO expenses SET expense_date = '$date', expense_amount = $amount, expense_currency_code = '$session_company_currency', expense_account_id = $account, expense_vendor_id = $vendor, expense_client_id = $client, expense_category_id = $category, expense_description = '$description', expense_reference = '$reference'");
@@ -43,6 +47,10 @@ if (isset($_POST['add_expense'])) {

 if (isset($_POST['edit_expense'])) {

+    validateCSRFToken($_POST['csrf_token']);
+
+    enforceUserPermission('module_financial', 2);
+
    require_once 'expense_model.php';

    $expense_id = intval($_POST['expense_id']);
@@ -82,6 +90,10 @@ if (isset($_POST['edit_expense'])) {

 if (isset($_GET['delete_expense'])) {

+    validateCSRFToken($_GET['csrf_token']);
+
+    enforceUserPermission('module_financial', 3);
+
    $expense_id = intval($_GET['delete_expense']);

    $sql = mysqli_query($mysqli,"SELECT * FROM expenses WHERE expense_id = $expense_id");
@@ -104,6 +116,10 @@ if (isset($_GET['delete_expense'])) {

 if (isset($_POST['bulk_edit_expense_category'])) {

+    validateCSRFToken($_POST['csrf_token']);
+
+    enforceUserPermission('module_financial', 2);
+
    $category_id = intval($_POST['bulk_category_id']);

    // Get Category name for logging and Notification
@@ -141,6 +157,10 @@ if (isset($_POST['bulk_edit_expense_category'])) {

 if (isset($_POST['bulk_edit_expense_account'])) {

+    validateCSRFToken($_POST['csrf_token']);
+
+    enforceUserPermission('module_financial', 2);
+
    $account_id = intval($_POST['bulk_account_id']);

    // Get Account name for logging and Notification
@@ -178,6 +198,10 @@ if (isset($_POST['bulk_edit_expense_account'])) {

 if (isset($_POST['bulk_edit_expense_client'])) {

+    validateCSRFToken($_POST['csrf_token']);
+
+    enforceUserPermission('module_financial', 2);
+
    $client_id = intval($_POST['bulk_client_id']);

    // Get Client name for logging and Notification
@@ -212,7 +236,7 @@ if (isset($_POST['bulk_delete_expenses'])) {

    validateCSRFToken($_POST['csrf_token']);

-    validateAdminRole();
+    enforceUserPermission('module_financial', 3);

    if (isset($_POST['expense_ids'])) {

@@ -250,6 +274,10 @@ if (isset($_POST['bulk_delete_expenses'])) {

 if (isset($_POST['export_expenses_csv'])) {

+    validateCSRFToken($_POST['csrf_token']);
+
+    enforceUserPermission('module_financial');
+
    $date_from = sanitizeInput($_POST['date_from']);
    $date_to = sanitizeInput($_POST['date_to']);
    $account = intval($_POST['account']);