From 30357b9cf71958d5e5b2b1c039e77388caa7b354 Mon Sep 17 00:00:00 2001
From: johnnyq <johnny@pittpc.com>
Date: Thu, 5 Mar 2026 17:51:20 -0500
Subject: [PATCH] Add CSRF Checks to notifications and ensure the user
 dismissing the notification is their own notification

---
 agent/notifications.php | 2 +-
 post/misc.php           | 4 +++-
 2 files changed, 4 insertions(+), 2 deletions(-)

diff --git a/agent/notifications.php b/agent/notifications.php
index 93f93182..2d5ce27c 100644
--- a/agent/notifications.php
+++ b/agent/notifications.php
@@ -141,7 +141,7 @@ $num_rows = mysqli_fetch_row(mysqli_query($mysqli, "SELECT FOUND_ROWS()"));
                     <td><?php echo $notification_dismissed_at; ?></td>
                     <?php } ?>
                     <?php if(!$dismissed_filter) { ?>
-                    <td class="text-center"><a class="btn btn-secondary btn-sm" href="post.php?dismiss_notification=<?php echo $notification_id; ?>" title="Dismiss"><i class="fas fa-check"></i></a></td>
+                    <td class="text-center"><a class="btn btn-secondary btn-sm" href="post.php?dismiss_notification=<?= $notification_id ?>&csrf_token=<?= $_SESSION['csrf_token'] ?>" title="Dismiss"><i class="fas fa-check"></i></a></td>
                     <?php } ?>
                 </tr>
 
diff --git a/post/misc.php b/post/misc.php
index 2d2ed5a1..47238dd3 100644
--- a/post/misc.php
+++ b/post/misc.php
@@ -20,9 +20,11 @@ if(isset($_POST['change_records_per_page'])){
 
 if (isset($_GET['dismiss_notification'])) {
 
+    validateCSRFToken($_GET['csrf_token']);
+
     $notification_id = intval($_GET['dismiss_notification']);
 
-    mysqli_query($mysqli,"UPDATE notifications SET notification_dismissed_at = NOW(), notification_dismissed_by = $session_user_id WHERE notification_id = $notification_id");
+    mysqli_query($mysqli,"UPDATE notifications SET notification_dismissed_at = NOW(), notification_dismissed_by = $session_user_id WHERE notification_user_id = $session_user_id AND notification_id = $notification_id");
 
     // Logging
     logAction("Notification", "Dismiss", "$session_name dismissed notification");