AS1024/itflow
1
0
Fork 0
mirror of https://github.com/itflow-org/itflow synced 2026-03-11 08:14:52 +00:00
Code Issues Packages Projects Releases Wiki Activity

Expenses: Add missing CSRF, Add missing perms

Browse Source
This commit is contained in:
johnnyq
2026-03-02 17:27:56 -05:00
parent 5b49908438
commit 1d5fceeecd
6 changed files with 38 additions and 5 deletions
Download Patch File Download Diff File Expand all files Collapse all files

30
agent/post/expense.php
View File

@@ -8,6 +8,10 @@ defined('FROM_POST_HANDLER') || die("Direct file access is not allowed");
if (isset($_POST['add_expense'])) {
validateCSRFToken($_POST['csrf_token']);
enforceUserPermission('module_financial', 2);
require_once 'expense_model.php';
mysqli_query($mysqli,"INSERT INTO expenses SET expense_date = '$date', expense_amount = $amount, expense_currency_code = '$session_company_currency', expense_account_id = $account, expense_vendor_id = $vendor, expense_client_id = $client, expense_category_id = $category, expense_description = '$description', expense_reference = '$reference'");
@@ -43,6 +47,10 @@ if (isset($_POST['add_expense'])) {
if (isset($_POST['edit_expense'])) {
validateCSRFToken($_POST['csrf_token']);
enforceUserPermission('module_financial', 2);
require_once 'expense_model.php';
$expense_id = intval($_POST['expense_id']);
@@ -82,6 +90,10 @@ if (isset($_POST['edit_expense'])) {
if (isset($_GET['delete_expense'])) {
validateCSRFToken($_GET['csrf_token']);
enforceUserPermission('module_financial', 3);
$expense_id = intval($_GET['delete_expense']);
$sql = mysqli_query($mysqli,"SELECT * FROM expenses WHERE expense_id = $expense_id");
@@ -104,6 +116,10 @@ if (isset($_GET['delete_expense'])) {
if (isset($_POST['bulk_edit_expense_category'])) {
validateCSRFToken($_POST['csrf_token']);
enforceUserPermission('module_financial', 2);
$category_id = intval($_POST['bulk_category_id']);
// Get Category name for logging and Notification
@@ -141,6 +157,10 @@ if (isset($_POST['bulk_edit_expense_category'])) {
if (isset($_POST['bulk_edit_expense_account'])) {
validateCSRFToken($_POST['csrf_token']);
enforceUserPermission('module_financial', 2);
$account_id = intval($_POST['bulk_account_id']);
// Get Account name for logging and Notification
@@ -178,6 +198,10 @@ if (isset($_POST['bulk_edit_expense_account'])) {
if (isset($_POST['bulk_edit_expense_client'])) {
validateCSRFToken($_POST['csrf_token']);
enforceUserPermission('module_financial', 2);
$client_id = intval($_POST['bulk_client_id']);
// Get Client name for logging and Notification
@@ -212,7 +236,7 @@ if (isset($_POST['bulk_delete_expenses'])) {
validateCSRFToken($_POST['csrf_token']);
validateAdminRole();
enforceUserPermission('module_financial', 3);
if (isset($_POST['expense_ids'])) {
@@ -250,6 +274,10 @@ if (isset($_POST['bulk_delete_expenses'])) {
if (isset($_POST['export_expenses_csv'])) {
validateCSRFToken($_POST['csrf_token']);
enforceUserPermission('module_financial');
$date_from = sanitizeInput($_POST['date_from']);
$date_to = sanitizeInput($_POST['date_to']);
$account = intval($_POST['account']);