mirror of
https://github.com/itflow-org/itflow
synced 2026-03-11 08:14:52 +00:00
Quote: Add missing CSRF checks and missing permission on export quote pdf
This commit is contained in:
johnnyq
@@ -14,6 +14,7 @@ ob_start();
|
||||
</button>
|
||||
</div>
|
||||
<form action="post.php" method="post" autocomplete="off">
|
||||
<input type="hidden" name="csrf_token" value="<?= $_SESSION['csrf_token'] ?>">
|
||||
|
||||
<div class="modal-body">
|
||||
|
||||
|
||||
@@ -23,6 +23,7 @@ ob_start();
|
||||
</button>
|
||||
</div>
|
||||
<form action="post.php" method="post" autocomplete="off">
|
||||
<input type="hidden" name="csrf_token" value="<?= $_SESSION['csrf_token'] ?>">
|
||||
<input type="hidden" name="quote_id" value="<?php echo $quote_id; ?>">
|
||||
<div class="modal-body">
|
||||
<?php if (isset($_GET['client_id'])) { ?>
|
||||
|
||||
@@ -29,6 +29,7 @@ ob_start();
|
||||
</button>
|
||||
</div>
|
||||
<form action="post.php" method="post" autocomplete="off">
|
||||
<input type="hidden" name="csrf_token" value="<?= $_SESSION['csrf_token'] ?>">
|
||||
<input type="hidden" name="quote_id" value="<?php echo $quote_id; ?>">
|
||||
|
||||
<div class="modal-body">
|
||||
|
||||
@@ -15,6 +15,7 @@ ob_start();
|
||||
</button>
|
||||
</div>
|
||||
<form action="post.php" method="post" autocomplete="off">
|
||||
<input type="hidden" name="csrf_token" value="<?= $_SESSION['csrf_token'] ?>">
|
||||
<input type="hidden" name="client_id" value="<?= $client_id ?>">
|
||||
|
||||
<div class="modal-body">
|
||||
|
||||
@@ -10,6 +10,7 @@
|
||||
</button>
|
||||
</div>
|
||||
<form action="post.php" method="post" autocomplete="off">
|
||||
<input type="hidden" name="csrf_token" value="<?= $_SESSION['csrf_token'] ?>">
|
||||
<input type="hidden" name="quote_id" value="<?php echo $quote_id; ?>">
|
||||
<div class="modal-body">
|
||||
<div class="form-group">
|
||||
|
||||
@@ -24,6 +24,7 @@ ob_start();
|
||||
</button>
|
||||
</div>
|
||||
<form action="post.php" method="post" autocomplete="off">
|
||||
<input type="hidden" name="csrf_token" value="<?= $_SESSION['csrf_token'] ?>">
|
||||
<input type="hidden" name="quote_id" value="<?= $quote_id ?>">
|
||||
|
||||
<div class="modal-body">
|
||||
|
||||
@@ -8,6 +8,8 @@ defined('FROM_POST_HANDLER') || die("Direct file access is not allowed");
|
||||
|
||||
if (isset($_POST['add_quote'])) {
|
||||
|
||||
validateCSRFToken($_POST['csrf_token']);
|
||||
|
||||
enforceUserPermission('module_sales', 2);
|
||||
|
||||
require_once 'quote_model.php';
|
||||
@@ -46,6 +48,8 @@ if (isset($_POST['add_quote'])) {
|
||||
|
||||
if (isset($_POST['add_quote_copy'])) {
|
||||
|
||||
validateCSRFToken($_POST['csrf_token']);
|
||||
|
||||
enforceUserPermission('module_sales', 2);
|
||||
|
||||
$quote_id = intval($_POST['quote_id']);
|
||||
@@ -114,6 +118,8 @@ if (isset($_POST['add_quote_copy'])) {
|
||||
|
||||
if (isset($_POST['add_quote_to_invoice'])) {
|
||||
|
||||
validateCSRFToken($_POST['csrf_token']);
|
||||
|
||||
enforceUserPermission('module_sales', 2);
|
||||
|
||||
$quote_id = intval($_POST['quote_id']);
|
||||
@@ -187,6 +193,8 @@ if (isset($_POST['add_quote_to_invoice'])) {
|
||||
|
||||
if (isset($_POST['add_quote_item'])) {
|
||||
|
||||
validateCSRFToken($_POST['csrf_token']);
|
||||
|
||||
enforceUserPermission('module_sales', 2);
|
||||
|
||||
$quote_id = intval($_POST['quote_id']);
|
||||
@@ -241,6 +249,8 @@ if (isset($_POST['add_quote_item'])) {
|
||||
|
||||
if (isset($_POST['quote_note'])) {
|
||||
|
||||
validateCSRFToken($_POST['csrf_token']);
|
||||
|
||||
enforceUserPermission('module_sales', 2);
|
||||
|
||||
$quote_id = intval($_POST['quote_id']);
|
||||
@@ -265,6 +275,8 @@ if (isset($_POST['quote_note'])) {
|
||||
|
||||
if (isset($_POST['edit_quote'])) {
|
||||
|
||||
validateCSRFToken($_POST['csrf_token']);
|
||||
|
||||
enforceUserPermission('module_sales', 2);
|
||||
|
||||
require_once 'quote_model.php';
|
||||
@@ -299,6 +311,8 @@ if (isset($_POST['edit_quote'])) {
|
||||
|
||||
if (isset($_GET['delete_quote'])) {
|
||||
|
||||
validateCSRFToken($_GET['csrf_token']);
|
||||
|
||||
enforceUserPermission('module_sales', 3);
|
||||
|
||||
$quote_id = intval($_GET['delete_quote']);
|
||||
@@ -341,6 +355,8 @@ if (isset($_GET['delete_quote'])) {
|
||||
|
||||
if (isset($_GET['delete_quote_item'])) {
|
||||
|
||||
validateCSRFToken($_GET['csrf_token']);
|
||||
|
||||
enforceUserPermission('module_sales', 2);
|
||||
|
||||
$item_id = intval($_GET['delete_quote_item']);
|
||||
@@ -375,6 +391,8 @@ if (isset($_GET['delete_quote_item'])) {
|
||||
|
||||
if (isset($_GET['mark_quote_sent'])) {
|
||||
|
||||
validateCSRFToken($_GET['csrf_token']);
|
||||
|
||||
enforceUserPermission('module_sales', 2);
|
||||
|
||||
$quote_id = intval($_GET['mark_quote_sent']);
|
||||
@@ -399,6 +417,8 @@ if (isset($_GET['mark_quote_sent'])) {
|
||||
|
||||
if (isset($_GET['accept_quote'])) {
|
||||
|
||||
validateCSRFToken($_GET['csrf_token']);
|
||||
|
||||
enforceUserPermission('module_sales', 2);
|
||||
|
||||
$quote_id = intval($_GET['accept_quote']);
|
||||
@@ -425,6 +445,8 @@ if (isset($_GET['accept_quote'])) {
|
||||
|
||||
if (isset($_GET['decline_quote'])) {
|
||||
|
||||
validateCSRFToken($_GET['csrf_token']);
|
||||
|
||||
enforceUserPermission('module_sales', 2);
|
||||
|
||||
$quote_id = intval($_GET['decline_quote']);
|
||||
@@ -451,6 +473,8 @@ if (isset($_GET['decline_quote'])) {
|
||||
|
||||
if (isset($_GET['email_quote'])) {
|
||||
|
||||
validateCSRFToken($_GET['csrf_token']);
|
||||
|
||||
enforceUserPermission('module_sales', 2);
|
||||
|
||||
$quote_id = intval($_GET['email_quote']);
|
||||
@@ -529,6 +553,8 @@ if (isset($_GET['email_quote'])) {
|
||||
|
||||
if (isset($_GET['mark_quote_invoiced'])) {
|
||||
|
||||
validateCSRFToken($_GET['csrf_token']);
|
||||
|
||||
enforceUserPermission('module_sales', 2);
|
||||
|
||||
$quote_id = intval($_GET['mark_quote_invoiced']);
|
||||
@@ -553,6 +579,8 @@ if (isset($_GET['mark_quote_invoiced'])) {
|
||||
|
||||
if(isset($_POST['export_quotes_csv'])){
|
||||
|
||||
validateCSRFToken($_POST['csrf_token']);
|
||||
|
||||
enforceUserPermission('module_sales');
|
||||
|
||||
if ($_POST['client_id']) {
|
||||
@@ -611,6 +639,10 @@ if(isset($_POST['export_quotes_csv'])){
|
||||
|
||||
if (isset($_GET['export_quote_pdf'])) {
|
||||
|
||||
validateCSRFToken($_GET['csrf_token']);
|
||||
|
||||
enforceUserPermission('module_sales');
|
||||
|
||||
$quote_id = intval($_GET['export_quote_pdf']);
|
||||
|
||||
$sql = mysqli_query(
|
||||
|
||||
@@ -150,22 +150,22 @@ if (isset($_GET['quote_id'])) {
|
||||
</button>
|
||||
<div class="dropdown-menu">
|
||||
<?php if (!empty($config_smtp_host) && !empty($contact_email)) { ?>
|
||||
<a class="dropdown-item" href="post.php?email_quote=<?php echo $quote_id; ?>">
|
||||
<a class="dropdown-item" href="post.php?email_quote=<?= $quote_id ?>&csrf_token=<?= $_SESSION['csrf_token'] ?>">
|
||||
<i class="fas fa-fw fa-paper-plane mr-2"></i>Send Email
|
||||
</a>
|
||||
<div class="dropdown-divider"></div>
|
||||
<?php } ?>
|
||||
<a class="dropdown-item" href="post.php?mark_quote_sent=<?php echo $quote_id; ?>">
|
||||
<a class="dropdown-item" href="post.php?mark_quote_sent=<?= $quote_id ?>&csrf_token=<?= $_SESSION['csrf_token'] ?>">
|
||||
<i class="fas fa-fw fa-check mr-2"></i>Mark Sent
|
||||
</a>
|
||||
</div>
|
||||
<?php } ?>
|
||||
|
||||
<?php if ($quote_status == 'Sent' || $quote_status == 'Viewed') { ?>
|
||||
<a class="btn btn-primary confirm-link" href="post.php?accept_quote=<?php echo $quote_id; ?>">
|
||||
<a class="btn btn-primary confirm-link" href="post.php?accept_quote=<?= $quote_id ?>&csrf_token=<?= $_SESSION['csrf_token'] ?>">
|
||||
<i class="fas fa-thumbs-up mr-2"></i>Accept
|
||||
</a>
|
||||
<a class="btn btn-default confirm-link" href="post.php?decline_quote=<?php echo $quote_id; ?>">
|
||||
<a class="btn btn-default confirm-link" href="post.php?decline_quote=<?= $quote_id ?>&csrf_token=<?= $_SESSION['csrf_token'] ?>">
|
||||
<i class="fas fa-thumbs-down mr-2"></i>Decline
|
||||
</a>
|
||||
<?php } ?>
|
||||
@@ -180,7 +180,7 @@ if (isset($_GET['quote_id'])) {
|
||||
<span class="sr-only">Toggle Dropdown</span>
|
||||
</button>
|
||||
<div class="dropdown-menu dropdown-menu-right">
|
||||
<a class="dropdown-item" href="post.php?mark_quote_invoiced=<?php echo $quote_id; ?>">
|
||||
<a class="dropdown-item" href="post.php?mark_quote_invoiced=<?= $quote_id ?>&csrf_token=<?= $_SESSION['csrf_token'] ?>">
|
||||
<i class="fas fa-fw fa-check mr-2"></i>Mark Invoiced
|
||||
</a>
|
||||
</div>
|
||||
@@ -209,11 +209,11 @@ if (isset($_GET['quote_id'])) {
|
||||
<a class="dropdown-item" href="#" onclick="window.print();">
|
||||
<i class="fa fa-fw fa-print text-secondary mr-2"></i>Print
|
||||
</a>
|
||||
<a class="dropdown-item" href="post.php?export_quote_pdf=<?php echo $quote_id; ?>" target="_blank">
|
||||
<a class="dropdown-item" href="post.php?export_quote_pdf=<?= $quote_id ?>&csrf_token=<?= $_SESSION['csrf_token'] ?>" target="_blank">
|
||||
<i class="fa fa-fw fa-download text-secondary mr-2"></i>Download PDF
|
||||
</a>
|
||||
<?php if (!empty($config_smtp_host) && !empty($contact_email)) { ?>
|
||||
<a class="dropdown-item" href="post.php?email_quote=<?php echo $quote_id; ?>">
|
||||
<a class="dropdown-item" href="post.php?email_quote=<?= $quote_id ?>&csrf_token=<?= $_SESSION['csrf_token'] ?>">
|
||||
<i class="fa fa-fw fa-paper-plane text-secondary mr-2"></i>Send Email
|
||||
</a>
|
||||
<?php } ?>
|
||||
@@ -222,7 +222,7 @@ if (isset($_GET['quote_id'])) {
|
||||
</a>
|
||||
<?php if (lookupUserPermission("module_sales") >= 3) { ?>
|
||||
<div class="dropdown-divider"></div>
|
||||
<a class="dropdown-item text-danger text-bold confirm-link" href="post.php?delete_quote=<?php echo $quote_id; ?>">
|
||||
<a class="dropdown-item text-danger text-bold confirm-link" href="post.php?delete_quote=<?= $quote_id ?>&csrf_token=<?= $_SESSION['csrf_token'] ?>">
|
||||
<i class="fa fa-fw fa-times mr-2"></i>Delete
|
||||
</a>
|
||||
<?php } ?>
|
||||
@@ -341,7 +341,7 @@ if (isset($_GET['quote_id'])) {
|
||||
<i class="fa fa-fw fa-edit mr-2"></i>Edit
|
||||
</a>
|
||||
<div class="dropdown-divider"></div>
|
||||
<a class="dropdown-item text-danger confirm-link" href="post.php?delete_quote_item=<?php echo $item_id; ?>">
|
||||
<a class="dropdown-item text-danger confirm-link" href="post.php?delete_quote_item=<?= $item_id ?>&csrf_token=<?= $_SESSION['csrf_token'] ?>">
|
||||
<i class="fa fa-fw fa-trash mr-2"></i>Delete
|
||||
</a>
|
||||
</div>
|
||||
@@ -367,6 +367,7 @@ if (isset($_GET['quote_id'])) {
|
||||
echo "hidden";
|
||||
} ?>>
|
||||
<form action="post.php" method="post" autocomplete="off">
|
||||
<input type="hidden" name="csrf_token" value="<?= $_SESSION['csrf_token'] ?>">
|
||||
<input type="hidden" name="quote_id" value="<?php echo $quote_id; ?>">
|
||||
<input type="hidden" name="item_order" value="<?php
|
||||
//find largest order number and add 1
|
||||
|
||||
@@ -224,13 +224,13 @@ $num_rows = mysqli_fetch_row(mysqli_query($mysqli, "SELECT FOUND_ROWS()"));
|
||||
</a>
|
||||
<?php if (!empty($config_smtp_host)) { ?>
|
||||
<div class="dropdown-divider"></div>
|
||||
<a class="dropdown-item" href="post.php?email_quote=<?php echo $quote_id; ?>">
|
||||
<a class="dropdown-item" href="post.php?email_quote=<?= $quote_id ?>&csrf_token=<?= $_SESSION['csrf_token'] ?>">
|
||||
<i class="fas fa-fw fa-paper-plane mr-2"></i>Email
|
||||
</a>
|
||||
<?php } ?>
|
||||
<?php if (lookupUserPermission("module_sales") >= 3) { ?>
|
||||
<div class="dropdown-divider"></div>
|
||||
<a class="dropdown-item text-danger text-bold confirm-link" href="post.php?delete_quote=<?php echo $quote_id; ?>">
|
||||
<a class="dropdown-item text-danger text-bold confirm-link" href="post.php?delete_quote=<?= $quote_id ?>&csrf_token=<?= $_SESSION['csrf_token'] ?>">
|
||||
<i class="fas fa-fw fa-trash mr-2"></i>Delete
|
||||
</a>
|
||||
<?php } ?>
|
||||
|
||||
Reference in New Issue
Block a user