AS1024/itflow
1
0
Fork 0
mirror of https://github.com/itflow-org/itflow synced 2026-03-11 08:14:52 +00:00
Code Issues Packages Projects Releases Wiki Activity

Quote: Add missing CSRF checks and missing permission on export quote pdf

Browse Source
This commit is contained in:
johnnyq
2026-03-01 22:02:43 -05:00
parent e1daa14087
commit 2c47001b19
9 changed files with 50 additions and 11 deletions
Download Patch File Download Diff File Expand all files Collapse all files

19
agent/quote.php
View File

@@ -150,22 +150,22 @@ if (isset($_GET['quote_id'])) {
</button>
<div class="dropdown-menu">
<?php if (!empty($config_smtp_host) && !empty($contact_email)) { ?>
<a class="dropdown-item" href="post.php?email_quote=<?php echo $quote_id; ?>">
<a class="dropdown-item" href="post.php?email_quote=<?= $quote_id ?>&csrf_token=<?= $_SESSION['csrf_token'] ?>">
<i class="fas fa-fw fa-paper-plane mr-2"></i>Send Email
</a>
<div class="dropdown-divider"></div>
<?php } ?>
<a class="dropdown-item" href="post.php?mark_quote_sent=<?php echo $quote_id; ?>">
<a class="dropdown-item" href="post.php?mark_quote_sent=<?= $quote_id ?>&csrf_token=<?= $_SESSION['csrf_token'] ?>">
<i class="fas fa-fw fa-check mr-2"></i>Mark Sent
</a>
</div>
<?php } ?>
<?php if ($quote_status == 'Sent' || $quote_status == 'Viewed') { ?>
<a class="btn btn-primary confirm-link" href="post.php?accept_quote=<?php echo $quote_id; ?>">
<a class="btn btn-primary confirm-link" href="post.php?accept_quote=<?= $quote_id ?>&csrf_token=<?= $_SESSION['csrf_token'] ?>">
<i class="fas fa-thumbs-up mr-2"></i>Accept
</a>
<a class="btn btn-default confirm-link" href="post.php?decline_quote=<?php echo $quote_id; ?>">
<a class="btn btn-default confirm-link" href="post.php?decline_quote=<?= $quote_id ?>&csrf_token=<?= $_SESSION['csrf_token'] ?>">
<i class="fas fa-thumbs-down mr-2"></i>Decline
</a>
<?php } ?>
@@ -180,7 +180,7 @@ if (isset($_GET['quote_id'])) {
<span class="sr-only">Toggle Dropdown</span>
</button>
<div class="dropdown-menu dropdown-menu-right">
<a class="dropdown-item" href="post.php?mark_quote_invoiced=<?php echo $quote_id; ?>">
<a class="dropdown-item" href="post.php?mark_quote_invoiced=<?= $quote_id ?>&csrf_token=<?= $_SESSION['csrf_token'] ?>">
<i class="fas fa-fw fa-check mr-2"></i>Mark Invoiced
</a>
</div>
@@ -209,11 +209,11 @@ if (isset($_GET['quote_id'])) {
<a class="dropdown-item" href="#" onclick="window.print();">
<i class="fa fa-fw fa-print text-secondary mr-2"></i>Print
</a>
<a class="dropdown-item" href="post.php?export_quote_pdf=<?php echo $quote_id; ?>" target="_blank">
<a class="dropdown-item" href="post.php?export_quote_pdf=<?= $quote_id ?>&csrf_token=<?= $_SESSION['csrf_token'] ?>" target="_blank">
<i class="fa fa-fw fa-download text-secondary mr-2"></i>Download PDF
</a>
<?php if (!empty($config_smtp_host) && !empty($contact_email)) { ?>
<a class="dropdown-item" href="post.php?email_quote=<?php echo $quote_id; ?>">
<a class="dropdown-item" href="post.php?email_quote=<?= $quote_id ?>&csrf_token=<?= $_SESSION['csrf_token'] ?>">
<i class="fa fa-fw fa-paper-plane text-secondary mr-2"></i>Send Email
</a>
<?php } ?>
@@ -222,7 +222,7 @@ if (isset($_GET['quote_id'])) {
</a>
<?php if (lookupUserPermission("module_sales") >= 3) { ?>
<div class="dropdown-divider"></div>
<a class="dropdown-item text-danger text-bold confirm-link" href="post.php?delete_quote=<?php echo $quote_id; ?>">
<a class="dropdown-item text-danger text-bold confirm-link" href="post.php?delete_quote=<?= $quote_id ?>&csrf_token=<?= $_SESSION['csrf_token'] ?>">
<i class="fa fa-fw fa-times mr-2"></i>Delete
</a>
<?php } ?>
@@ -341,7 +341,7 @@ if (isset($_GET['quote_id'])) {
<i class="fa fa-fw fa-edit mr-2"></i>Edit
</a>
<div class="dropdown-divider"></div>
<a class="dropdown-item text-danger confirm-link" href="post.php?delete_quote_item=<?php echo $item_id; ?>">
<a class="dropdown-item text-danger confirm-link" href="post.php?delete_quote_item=<?= $item_id ?>&csrf_token=<?= $_SESSION['csrf_token'] ?>">
<i class="fa fa-fw fa-trash mr-2"></i>Delete
</a>
</div>
@@ -367,6 +367,7 @@ if (isset($_GET['quote_id'])) {
echo "hidden";
} ?>>
<form action="post.php" method="post" autocomplete="off">
<input type="hidden" name="csrf_token" value="<?= $_SESSION['csrf_token'] ?>">
<input type="hidden" name="quote_id" value="<?php echo $quote_id; ?>">
<input type="hidden" name="item_order" value="<?php
//find largest order number and add 1