AS1024/itflow
1
0
Fork 0
mirror of https://github.com/itflow-org/itflow synced 2026-03-16 10:44:50 +00:00
Code Issues Packages Projects Releases Wiki Activity

Ticket Tasks: Add missing CSRF checks and other CSRF checks missed in he previous commits

Browse Source
This commit is contained in:
johnnyq
2026-03-01 21:45:26 -05:00
parent 54638428e3
commit 308dc6e550
6 changed files with 30 additions and 12 deletions
Download Patch File Download Diff File Expand all files Collapse all files

4
agent/includes/inc_client_top_head.php
View File

@@ -39,8 +39,8 @@
</a> </a>
<?php } else { ?> <?php } else { ?>
<div class="dropdown-divider"></div> <div class="dropdown-divider"></div>
<a class="dropdown-item text-primary confirm-link" href="post.php?undo_archive_client=<?php echo $client_id; ?>"> <a class="dropdown-item text-primary confirm-link" href="post.php?restore_client=<?= $client_id ?>&csrf_token=<?= $_SESSION['csrf_token'] ?>">
<i class="fas fa-fw fa-archive mr-2"></i>Unarchive Client <i class="fas fa-fw fa-archive mr-2"></i>Restore Client
</a> </a>
<?php } ?> <?php } ?>

2
agent/modals/ticket/ticket_task_approver_add.php
View File

@@ -24,8 +24,8 @@ ob_start();
</button> </button>
</div> </div>
<form action="post.php" method="post" autocomplete="off"> <form action="post.php" method="post" autocomplete="off">
<input type="hidden" name="task_id" value="<?php echo $task_id; ?>">
<input type="hidden" name="csrf_token" value="<?= $_SESSION['csrf_token'] ?>"> <input type="hidden" name="csrf_token" value="<?= $_SESSION['csrf_token'] ?>">
<input type="hidden" name="task_id" value="<?php echo $task_id; ?>">
<div class="modal-body"> <div class="modal-body">

1
agent/modals/ticket/ticket_task_edit.php
View File

@@ -34,6 +34,7 @@ ob_start();
</button> </button>
</div> </div>
<form action="post.php" method="post" autocomplete="off"> <form action="post.php" method="post" autocomplete="off">
<input type="hidden" name="csrf_token" value="<?= $_SESSION['csrf_token'] ?>">
<input type="hidden" name="task_id" value="<?php echo $task_id; ?>"> <input type="hidden" name="task_id" value="<?php echo $task_id; ?>">
<div class="modal-body"> <div class="modal-body">

16
agent/post/task.php
View File

@@ -8,6 +8,8 @@ defined('FROM_POST_HANDLER') || die("Direct file access is not allowed");
if (isset($_POST['add_task'])) { if (isset($_POST['add_task'])) {
validateCSRFToken($_POST['csrf_token']);
enforceUserPermission('module_support', 2); enforceUserPermission('module_support', 2);
$ticket_id = intval($_POST['ticket_id']); $ticket_id = intval($_POST['ticket_id']);
@@ -30,6 +32,8 @@ if (isset($_POST['add_task'])) {
if (isset($_POST['edit_ticket_task'])) { if (isset($_POST['edit_ticket_task'])) {
validateCSRFToken($_POST['csrf_token']);
enforceUserPermission('module_support', 2); enforceUserPermission('module_support', 2);
$task_id = intval($_POST['task_id']); $task_id = intval($_POST['task_id']);
@@ -54,6 +58,8 @@ if (isset($_POST['edit_ticket_task'])) {
if (isset($_POST['edit_ticket_template_task'])) { if (isset($_POST['edit_ticket_template_task'])) {
validateCSRFToken($_POST['csrf_token']);
enforceUserPermission('module_support', 2); enforceUserPermission('module_support', 2);
$task_template_id = intval($_POST['task_template_id']); $task_template_id = intval($_POST['task_template_id']);
@@ -97,6 +103,8 @@ if (isset($_GET['delete_task'])) {
if (isset($_GET['complete_task'])) { if (isset($_GET['complete_task'])) {
validateCSRFToken($_GET['csrf_token']);
enforceUserPermission('module_support', 2); enforceUserPermission('module_support', 2);
$task_id = intval($_GET['complete_task']); $task_id = intval($_GET['complete_task']);
@@ -129,6 +137,8 @@ if (isset($_GET['complete_task'])) {
if (isset($_GET['undo_complete_task'])) { if (isset($_GET['undo_complete_task'])) {
validateCSRFToken($_GET['csrf_token']);
enforceUserPermission('module_support', 2); enforceUserPermission('module_support', 2);
$task_id = intval($_GET['undo_complete_task']); $task_id = intval($_GET['undo_complete_task']);
@@ -158,6 +168,7 @@ if (isset($_GET['undo_complete_task'])) {
if (isset($_POST['add_ticket_task_approver'])) { if (isset($_POST['add_ticket_task_approver'])) {
validateCSRFToken($_POST['csrf_token']); validateCSRFToken($_POST['csrf_token']);
enforceUserPermission('module_support', 2); enforceUserPermission('module_support', 2);
$task_id = intval($_POST['task_id']); $task_id = intval($_POST['task_id']);
@@ -331,6 +342,7 @@ if (isset($_POST['add_ticket_task_approver'])) {
if (isset($_GET['approve_ticket_task'])) { if (isset($_GET['approve_ticket_task'])) {
validateCSRFToken($_GET['csrf_token']); validateCSRFToken($_GET['csrf_token']);
enforceUserPermission('module_support', 2); enforceUserPermission('module_support', 2);
$task_id = intval($_GET['approve_task']); $task_id = intval($_GET['approve_task']);
@@ -398,6 +410,8 @@ if (isset($_GET['delete_ticket_task_approver'])) {
if (isset($_GET['complete_all_tasks'])) { if (isset($_GET['complete_all_tasks'])) {
validateCSRFToken($_GET['csrf_token']);
enforceUserPermission('module_support', 2); enforceUserPermission('module_support', 2);
$ticket_id = intval($_GET['complete_all_tasks']); $ticket_id = intval($_GET['complete_all_tasks']);
@@ -422,6 +436,8 @@ if (isset($_GET['complete_all_tasks'])) {
if (isset($_GET['undo_complete_all_tasks'])) { if (isset($_GET['undo_complete_all_tasks'])) {
validateCSRFToken($_GET['csrf_token']);
enforceUserPermission('module_support', 2); enforceUserPermission('module_support', 2);
$ticket_id = intval($_GET['undo_complete_all_tasks']); $ticket_id = intval($_GET['undo_complete_all_tasks']);

2
agent/project_details.php
View File

@@ -527,7 +527,7 @@ if (isset($_GET['project_id'])) {
<?php if ($task_completed_at) { ?> <?php if ($task_completed_at) { ?>
<i class="far fa-check-square text-success mr-2"></i> <i class="far fa-check-square text-success mr-2"></i>
<?php } else { ?> <?php } else { ?>
<a href="post.php?complete_task=<?php echo $task_id; ?>"> <a href="post.php?complete_task=<?= $task_id ?>&csrf_token=<?= $_SESSION['csrf_token'] ?>">
<i class="far fa-square text-secondary mr-2"></i> <i class="far fa-square text-secondary mr-2"></i>
</a> </a>
<?php } ?> <?php } ?>

9
agent/ticket.php
View File

@@ -913,11 +913,11 @@ if (isset($_GET['ticket_id'])) {
<i class="fas fa-ellipsis-v"></i> <i class="fas fa-ellipsis-v"></i>
</button> </button>
<div class="dropdown-menu"> <div class="dropdown-menu">
<a class="dropdown-item text-success" href="post.php?complete_all_tasks=<?php echo $ticket_id; ?>"> <a class="dropdown-item text-success" href="post.php?complete_all_tasks=<?= $ticket_id ?>&csrf_token=<?= $_SESSION['csrf_token'] ?>">
<i class="fas fa-fw fa-check-double mr-2"></i>Mark All Complete <i class="fas fa-fw fa-check-double mr-2"></i>Mark All Complete
</a> </a>
<div class="dropdown-divider"></div> <div class="dropdown-divider"></div>
<a class="dropdown-item" href="post.php?undo_complete_all_tasks=<?php echo $ticket_id; ?>"> <a class="dropdown-item" href="post.php?undo_complete_all_tasks=<?= $ticket_id ?>&csrf_token=<?= $_SESSION['csrf_token'] ?>">
<i class="far fa-fw fa-square mr-2"></i>Mark All Incomplete <i class="far fa-fw fa-square mr-2"></i>Mark All Incomplete
</a> </a>
<div class="dropdown-divider"></div> <div class="dropdown-divider"></div>
@@ -933,6 +933,7 @@ if (isset($_GET['ticket_id'])) {
<?php if (empty($ticket_resolved_at) && lookupUserPermission("module_support") >= 2) { ?> <?php if (empty($ticket_resolved_at) && lookupUserPermission("module_support") >= 2) { ?>
<form action="post.php" method="post" autocomplete="off"> <form action="post.php" method="post" autocomplete="off">
<input type="hidden" name="csrf_token" value="<?= $_SESSION['csrf_token'] ?>">
<input type="hidden" name="ticket_id" value="<?php echo $ticket_id; ?>"> <input type="hidden" name="ticket_id" value="<?php echo $ticket_id; ?>">
<div class="form-group px-2 pt-3"> <div class="form-group px-2 pt-3">
<div class="input-group input-group-sm"> <div class="input-group input-group-sm">
@@ -1016,7 +1017,7 @@ if (isset($_GET['ticket_id'])) {
<?php } ?> <?php } ?>
<?php } else { ?> <?php } else { ?>
<a href="post.php?complete_task=<?php echo $task_id; ?>"> <a href="post.php?complete_task=<?= $task_id ?>&csrf_token=<?= $_SESSION['csrf_token'] ?>">
<i class="far fa-square text-dark"></i> <i class="far fa-square text-dark"></i>
</a> </a>
<?php } ?> <?php } ?>
@@ -1049,7 +1050,7 @@ if (isset($_GET['ticket_id'])) {
</a> </a>
<?php } ?> <?php } ?>
<?php if ($task_completed_at) { ?> <?php if ($task_completed_at) { ?>
<a class="dropdown-item" href="post.php?undo_complete_task=<?php echo $task_id; ?>"> <a class="dropdown-item" href="post.php?undo_complete_task=<?= $task_id ?>&csrf_token=<?= $_SESSION['csrf_token'] ?>">
<i class="fas fa-fw fa-arrow-circle-left mr-2"></i>Mark incomplete <i class="fas fa-fw fa-arrow-circle-left mr-2"></i>Mark incomplete
</a> </a>
<?php } ?> <?php } ?>