AS1024/itflow
1
0
Fork 0
mirror of https://github.com/itflow-org/itflow synced 2026-03-11 00:04:50 +00:00
Code Issues Packages Projects Releases Wiki Activity

Ticket Tasks: Add missing CSRF checks and other CSRF checks missed in he previous commits

Browse Source
This commit is contained in:
johnnyq
2026-03-01 21:45:26 -05:00
parent 54638428e3
commit 308dc6e550
6 changed files with 30 additions and 12 deletions
Download Patch File Download Diff File Expand all files Collapse all files

12
agent/includes/inc_client_top_head.php
View File

@@ -1,4 +1,4 @@
<?php $show_add_credit = 0; // Remove once credits is added hides the button ?>
<?php $show_add_credit = 0; // Remove once credits is added hides the button ?>
<div class="card d-print-none">
<div class="card-header pb-1 pt-2 px-3">
@@ -39,8 +39,8 @@
</a>
<?php } else { ?>
<div class="dropdown-divider"></div>
<a class="dropdown-item text-primary confirm-link" href="post.php?undo_archive_client=<?php echo $client_id; ?>">
<i class="fas fa-fw fa-archive mr-2"></i>Unarchive Client
<a class="dropdown-item text-primary confirm-link" href="post.php?restore_client=<?= $client_id ?>&csrf_token=<?= $_SESSION['csrf_token'] ?>">
<i class="fas fa-fw fa-archive mr-2"></i>Restore Client
</a>
<?php } ?>
@@ -59,7 +59,7 @@
</div>
<div class="collapse <?php if (basename($_SERVER["PHP_SELF"]) == "client_overview.php") { echo "show"; } ?>" id="clientHeader">
<div class="card-group mb-3">
<div class="card card-body px-3 py-2">
<h5>Primary Location</h5>
@@ -129,7 +129,7 @@
</div>
<?php if (lookupUserPermission("module_financial") >= 1 && $config_module_enable_accounting == 1) { ?>
<div class="card card-body px-3 py-2">
<h5>Billing</h5>
<div class="ml-1 text-secondary">Hourly Rate
@@ -141,7 +141,7 @@
<div class="ml-1 mt-1 text-secondary">Balance
<span class="<?php if ($balance > 0) { echo "text-danger"; }else{ echo "text-dark"; } ?> float-right"> <?php echo numfmt_format_currency($currency_format, $balance, $client_currency_code); ?></span>
</div>
<?php /* Credit Not Ready 2025-08-27 JQ
<?php /* Credit Not Ready 2025-08-27 JQ
if ($credit_balance) { ?>
<div class="ml-1 mt-1 text-secondary">Credit
<span class="text-success float-right"><?php echo numfmt_format_currency($currency_format, $credit_balance, $client_currency_code); ?></span>

2
agent/modals/ticket/ticket_task_approver_add.php
View File

@@ -24,8 +24,8 @@ ob_start();
</button>
</div>
<form action="post.php" method="post" autocomplete="off">
<input type="hidden" name="task_id" value="<?php echo $task_id; ?>">
<input type="hidden" name="csrf_token" value="<?= $_SESSION['csrf_token'] ?>">
<input type="hidden" name="task_id" value="<?php echo $task_id; ?>">
<div class="modal-body">

1
agent/modals/ticket/ticket_task_edit.php
View File

@@ -34,6 +34,7 @@ ob_start();
</button>
</div>
<form action="post.php" method="post" autocomplete="off">
<input type="hidden" name="csrf_token" value="<?= $_SESSION['csrf_token'] ?>">
<input type="hidden" name="task_id" value="<?php echo $task_id; ?>">
<div class="modal-body">

16
agent/post/task.php
View File

@@ -8,6 +8,8 @@ defined('FROM_POST_HANDLER') || die("Direct file access is not allowed");
if (isset($_POST['add_task'])) {
validateCSRFToken($_POST['csrf_token']);
enforceUserPermission('module_support', 2);
$ticket_id = intval($_POST['ticket_id']);
@@ -30,6 +32,8 @@ if (isset($_POST['add_task'])) {
if (isset($_POST['edit_ticket_task'])) {
validateCSRFToken($_POST['csrf_token']);
enforceUserPermission('module_support', 2);
$task_id = intval($_POST['task_id']);
@@ -54,6 +58,8 @@ if (isset($_POST['edit_ticket_task'])) {
if (isset($_POST['edit_ticket_template_task'])) {
validateCSRFToken($_POST['csrf_token']);
enforceUserPermission('module_support', 2);
$task_template_id = intval($_POST['task_template_id']);
@@ -97,6 +103,8 @@ if (isset($_GET['delete_task'])) {
if (isset($_GET['complete_task'])) {
validateCSRFToken($_GET['csrf_token']);
enforceUserPermission('module_support', 2);
$task_id = intval($_GET['complete_task']);
@@ -129,6 +137,8 @@ if (isset($_GET['complete_task'])) {
if (isset($_GET['undo_complete_task'])) {
validateCSRFToken($_GET['csrf_token']);
enforceUserPermission('module_support', 2);
$task_id = intval($_GET['undo_complete_task']);
@@ -158,6 +168,7 @@ if (isset($_GET['undo_complete_task'])) {
if (isset($_POST['add_ticket_task_approver'])) {
validateCSRFToken($_POST['csrf_token']);
enforceUserPermission('module_support', 2);
$task_id = intval($_POST['task_id']);
@@ -331,6 +342,7 @@ if (isset($_POST['add_ticket_task_approver'])) {
if (isset($_GET['approve_ticket_task'])) {
validateCSRFToken($_GET['csrf_token']);
enforceUserPermission('module_support', 2);
$task_id = intval($_GET['approve_task']);
@@ -398,6 +410,8 @@ if (isset($_GET['delete_ticket_task_approver'])) {
if (isset($_GET['complete_all_tasks'])) {
validateCSRFToken($_GET['csrf_token']);
enforceUserPermission('module_support', 2);
$ticket_id = intval($_GET['complete_all_tasks']);
@@ -422,6 +436,8 @@ if (isset($_GET['complete_all_tasks'])) {
if (isset($_GET['undo_complete_all_tasks'])) {
validateCSRFToken($_GET['csrf_token']);
enforceUserPermission('module_support', 2);
$ticket_id = intval($_GET['undo_complete_all_tasks']);

2
agent/project_details.php
View File

@@ -527,7 +527,7 @@ if (isset($_GET['project_id'])) {
<?php if ($task_completed_at) { ?>
<i class="far fa-check-square text-success mr-2"></i>
<?php } else { ?>
<a href="post.php?complete_task=<?php echo $task_id; ?>">
<a href="post.php?complete_task=<?= $task_id ?>&csrf_token=<?= $_SESSION['csrf_token'] ?>">
<i class="far fa-square text-secondary mr-2"></i>
</a>
<?php } ?>

9
agent/ticket.php
View File

@@ -913,11 +913,11 @@ if (isset($_GET['ticket_id'])) {
<i class="fas fa-ellipsis-v"></i>
</button>
<div class="dropdown-menu">
<a class="dropdown-item text-success" href="post.php?complete_all_tasks=<?php echo $ticket_id; ?>">
<a class="dropdown-item text-success" href="post.php?complete_all_tasks=<?= $ticket_id ?>&csrf_token=<?= $_SESSION['csrf_token'] ?>">
<i class="fas fa-fw fa-check-double mr-2"></i>Mark All Complete
</a>
<div class="dropdown-divider"></div>
<a class="dropdown-item" href="post.php?undo_complete_all_tasks=<?php echo $ticket_id; ?>">
<a class="dropdown-item" href="post.php?undo_complete_all_tasks=<?= $ticket_id ?>&csrf_token=<?= $_SESSION['csrf_token'] ?>">
<i class="far fa-fw fa-square mr-2"></i>Mark All Incomplete
</a>
<div class="dropdown-divider"></div>
@@ -933,6 +933,7 @@ if (isset($_GET['ticket_id'])) {
<?php if (empty($ticket_resolved_at) && lookupUserPermission("module_support") >= 2) { ?>
<form action="post.php" method="post" autocomplete="off">
<input type="hidden" name="csrf_token" value="<?= $_SESSION['csrf_token'] ?>">
<input type="hidden" name="ticket_id" value="<?php echo $ticket_id; ?>">
<div class="form-group px-2 pt-3">
<div class="input-group input-group-sm">
@@ -1016,7 +1017,7 @@ if (isset($_GET['ticket_id'])) {
<?php } ?>
<?php } else { ?>
<a href="post.php?complete_task=<?php echo $task_id; ?>">
<a href="post.php?complete_task=<?= $task_id ?>&csrf_token=<?= $_SESSION['csrf_token'] ?>">
<i class="far fa-square text-dark"></i>
</a>
<?php } ?>
@@ -1049,7 +1050,7 @@ if (isset($_GET['ticket_id'])) {
</a>
<?php } ?>
<?php if ($task_completed_at) { ?>
<a class="dropdown-item" href="post.php?undo_complete_task=<?php echo $task_id; ?>">
<a class="dropdown-item" href="post.php?undo_complete_task=<?= $task_id ?>&csrf_token=<?= $_SESSION['csrf_token'] ?>">
<i class="fas fa-fw fa-arrow-circle-left mr-2"></i>Mark incomplete
</a>
<?php } ?>