Quote: Add missing CSRF checks and missing permission on export quote pdf

2026-03-11 08:14:52 +00:00 · 2026-03-01 22:02:43 -05:00
parent e1daa14087
commit 2c47001b19
9 changed files with 50 additions and 11 deletions
--- a/agent/modals/quote/quote_add.php
+++ b/agent/modals/quote/quote_add.php
@@ -14,6 +14,7 @@ ob_start();
    </button>
 </div>
 <form action="post.php" method="post" autocomplete="off">
+    <input type="hidden" name="csrf_token" value="<?= $_SESSION['csrf_token'] ?>">

    <div class="modal-body">

--- a/agent/modals/quote/quote_copy.php
+++ b/agent/modals/quote/quote_copy.php
@@ -23,6 +23,7 @@ ob_start();
    </button>
 </div>
 <form action="post.php" method="post" autocomplete="off">
+    <input type="hidden" name="csrf_token" value="<?= $_SESSION['csrf_token'] ?>">
    <input type="hidden" name="quote_id" value="<?php echo $quote_id; ?>">
    <div class="modal-body">
        <?php if (isset($_GET['client_id'])) { ?>
--- a/agent/modals/quote/quote_edit.php
+++ b/agent/modals/quote/quote_edit.php
@@ -29,6 +29,7 @@ ob_start();
    </button>
 </div>
 <form action="post.php" method="post" autocomplete="off">
+    <input type="hidden" name="csrf_token" value="<?= $_SESSION['csrf_token'] ?>">
    <input type="hidden" name="quote_id" value="<?php echo $quote_id; ?>">

    <div class="modal-body">
--- a/agent/modals/quote/quote_export.php
+++ b/agent/modals/quote/quote_export.php
@@ -15,6 +15,7 @@ ob_start();
    </button>
 </div>
 <form action="post.php" method="post" autocomplete="off">
+    <input type="hidden" name="csrf_token" value="<?= $_SESSION['csrf_token'] ?>">
    <input type="hidden" name="client_id" value="<?= $client_id ?>">

    <div class="modal-body">
--- a/agent/modals/quote/quote_note.php
+++ b/agent/modals/quote/quote_note.php
@@ -10,6 +10,7 @@
                </button>
            </div>
            <form action="post.php" method="post" autocomplete="off">
+                <input type="hidden" name="csrf_token" value="<?= $_SESSION['csrf_token'] ?>">
                <input type="hidden" name="quote_id" value="<?php echo $quote_id; ?>">
                <div class="modal-body">
                    <div class="form-group">
--- a/agent/modals/quote/quote_to_invoice.php
+++ b/agent/modals/quote/quote_to_invoice.php
@@ -24,6 +24,7 @@ ob_start();
    </button>
 </div>
 <form action="post.php" method="post" autocomplete="off">
+    <input type="hidden" name="csrf_token" value="<?= $_SESSION['csrf_token'] ?>">
    <input type="hidden" name="quote_id" value="<?= $quote_id ?>">

    <div class="modal-body">