Add CSRF Checks to notifications and ensure the user dismissing the notification is their own notification

agent/notifications.php

@@ -141,7 +141,7 @@ $num_rows = mysqli_fetch_row(mysqli_query($mysqli, "SELECT FOUND_ROWS()"));
                     <td><?php echo $notification_dismissed_at; ?></td>
                     <?php } ?>
                     <?php if(!$dismissed_filter) { ?>
-                    <td class="text-center"><a class="btn btn-secondary btn-sm" href="post.php?dismiss_notification=<?php echo $notification_id; ?>" title="Dismiss"><i class="fas fa-check"></i></a></td>
+                    <td class="text-center"><a class="btn btn-secondary btn-sm" href="post.php?dismiss_notification=<?= $notification_id ?>&csrf_token=<?= $_SESSION['csrf_token'] ?>" title="Dismiss"><i class="fas fa-check"></i></a></td>
                     <?php } ?>
                 </tr>
 

post/misc.php

@@ -20,9 +20,11 @@ if(isset($_POST['change_records_per_page'])){
 
 if (isset($_GET['dismiss_notification'])) {
 
+    validateCSRFToken($_GET['csrf_token']);
+
     $notification_id = intval($_GET['dismiss_notification']);
 
-    mysqli_query($mysqli,"UPDATE notifications SET notification_dismissed_at = NOW(), notification_dismissed_by = $session_user_id WHERE notification_id = $notification_id");
+    mysqli_query($mysqli,"UPDATE notifications SET notification_dismissed_at = NOW(), notification_dismissed_by = $session_user_id WHERE notification_user_id = $session_user_id AND notification_id = $notification_id");
 
     // Logging
     logAction("Notification", "Dismiss", "$session_name dismissed notification");