AS1024/itflow
1
0
Fork 0
mirror of https://github.com/itflow-org/itflow synced 2026-03-11 08:14:52 +00:00
Code Issues Packages Projects Releases Wiki Activity

Quote: Add missing CSRF checks and missing permission on export quote pdf

Browse Source
This commit is contained in:
johnnyq
2026-03-01 22:02:43 -05:00
parent e1daa14087
commit 2c47001b19
9 changed files with 50 additions and 11 deletions
Download Patch File Download Diff File Expand all files Collapse all files

32
agent/post/quote.php
View File

@@ -8,6 +8,8 @@ defined('FROM_POST_HANDLER') || die("Direct file access is not allowed");
if (isset($_POST['add_quote'])) {
validateCSRFToken($_POST['csrf_token']);
enforceUserPermission('module_sales', 2);
require_once 'quote_model.php';
@@ -46,6 +48,8 @@ if (isset($_POST['add_quote'])) {
if (isset($_POST['add_quote_copy'])) {
validateCSRFToken($_POST['csrf_token']);
enforceUserPermission('module_sales', 2);
$quote_id = intval($_POST['quote_id']);
@@ -114,6 +118,8 @@ if (isset($_POST['add_quote_copy'])) {
if (isset($_POST['add_quote_to_invoice'])) {
validateCSRFToken($_POST['csrf_token']);
enforceUserPermission('module_sales', 2);
$quote_id = intval($_POST['quote_id']);
@@ -187,6 +193,8 @@ if (isset($_POST['add_quote_to_invoice'])) {
if (isset($_POST['add_quote_item'])) {
validateCSRFToken($_POST['csrf_token']);
enforceUserPermission('module_sales', 2);
$quote_id = intval($_POST['quote_id']);
@@ -241,6 +249,8 @@ if (isset($_POST['add_quote_item'])) {
if (isset($_POST['quote_note'])) {
validateCSRFToken($_POST['csrf_token']);
enforceUserPermission('module_sales', 2);
$quote_id = intval($_POST['quote_id']);
@@ -265,6 +275,8 @@ if (isset($_POST['quote_note'])) {
if (isset($_POST['edit_quote'])) {
validateCSRFToken($_POST['csrf_token']);
enforceUserPermission('module_sales', 2);
require_once 'quote_model.php';
@@ -299,6 +311,8 @@ if (isset($_POST['edit_quote'])) {
if (isset($_GET['delete_quote'])) {
validateCSRFToken($_GET['csrf_token']);
enforceUserPermission('module_sales', 3);
$quote_id = intval($_GET['delete_quote']);
@@ -341,6 +355,8 @@ if (isset($_GET['delete_quote'])) {
if (isset($_GET['delete_quote_item'])) {
validateCSRFToken($_GET['csrf_token']);
enforceUserPermission('module_sales', 2);
$item_id = intval($_GET['delete_quote_item']);
@@ -375,6 +391,8 @@ if (isset($_GET['delete_quote_item'])) {
if (isset($_GET['mark_quote_sent'])) {
validateCSRFToken($_GET['csrf_token']);
enforceUserPermission('module_sales', 2);
$quote_id = intval($_GET['mark_quote_sent']);
@@ -399,6 +417,8 @@ if (isset($_GET['mark_quote_sent'])) {
if (isset($_GET['accept_quote'])) {
validateCSRFToken($_GET['csrf_token']);
enforceUserPermission('module_sales', 2);
$quote_id = intval($_GET['accept_quote']);
@@ -425,6 +445,8 @@ if (isset($_GET['accept_quote'])) {
if (isset($_GET['decline_quote'])) {
validateCSRFToken($_GET['csrf_token']);
enforceUserPermission('module_sales', 2);
$quote_id = intval($_GET['decline_quote']);
@@ -451,6 +473,8 @@ if (isset($_GET['decline_quote'])) {
if (isset($_GET['email_quote'])) {
validateCSRFToken($_GET['csrf_token']);
enforceUserPermission('module_sales', 2);
$quote_id = intval($_GET['email_quote']);
@@ -529,6 +553,8 @@ if (isset($_GET['email_quote'])) {
if (isset($_GET['mark_quote_invoiced'])) {
validateCSRFToken($_GET['csrf_token']);
enforceUserPermission('module_sales', 2);
$quote_id = intval($_GET['mark_quote_invoiced']);
@@ -553,6 +579,8 @@ if (isset($_GET['mark_quote_invoiced'])) {
if(isset($_POST['export_quotes_csv'])){
validateCSRFToken($_POST['csrf_token']);
enforceUserPermission('module_sales');
if ($_POST['client_id']) {
@@ -611,6 +639,10 @@ if(isset($_POST['export_quotes_csv'])){
if (isset($_GET['export_quote_pdf'])) {
validateCSRFToken($_GET['csrf_token']);
enforceUserPermission('module_sales');
$quote_id = intval($_GET['export_quote_pdf']);
$sql = mysqli_query(