AS1024/itflow
1
0
Fork 0
mirror of https://github.com/itflow-org/itflow synced 2026-03-11 08:14:52 +00:00
Code Issues Packages Projects Releases Wiki Activity

Recurring Expenses: Add missing CSRF, Add missing permission checks

Browse Source
This commit is contained in:
johnnyq
2026-03-02 17:32:18 -05:00
parent 1d5fceeecd
commit 3d80d1519e
4 changed files with 18 additions and 2 deletions
Download Patch File Download Diff File Expand all files Collapse all files

1
agent/modals/recurring_expense/recurring_expense_add.php
View File

@@ -14,6 +14,7 @@ ob_start();
</button>
</div>
<form action="post.php" method="post" autocomplete="off">
<input type="hidden" name="csrf_token" value="<?= $_SESSION['csrf_token'] ?>">
<div class="modal-body">
<div class="form-row">

4
agent/modals/recurring_expense/recurring_expense_edit.php
View File

@@ -36,8 +36,10 @@ ob_start();
</button>
</div>
<form action="post.php" method="post" autocomplete="off">
<input type="hidden" name="csrf_token" value="<?= $_SESSION['csrf_token'] ?>">
<input type="hidden" name="recurring_expense_id" value="<?php echo $recurring_expense_id; ?>">
<div class="modal-body">
<input type="hidden" name="recurring_expense_id" value="<?php echo $recurring_expense_id; ?>">
<div class="form-row">

13
agent/post/recurring_expense.php
View File

@@ -8,6 +8,10 @@ defined('FROM_POST_HANDLER') || die("Direct file access is not allowed");
if (isset($_POST['create_recurring_expense'])) {
validateCSRFToken($_POST['csrf_token']);
enforceUserPermission('module_financial', 2);
$frequency = intval($_POST['frequency']);
$day = intval($_POST['day']);
$month = intval($_POST['month']);
@@ -39,6 +43,10 @@ if (isset($_POST['create_recurring_expense'])) {
if (isset($_POST['edit_recurring_expense'])) {
validateCSRFToken($_POST['csrf_token']);
enforceUserPermission('module_financial', 2);
$recurring_expense_id = intval($_POST['recurring_expense_id']);
$frequency = intval($_POST['frequency']);
$day = intval($_POST['day']);
@@ -68,6 +76,11 @@ if (isset($_POST['edit_recurring_expense'])) {
}
if (isset($_GET['delete_recurring_expense'])) {
validateCSRFToken($_GET['csrf_token']);
enforceUserPermission('module_financial', 2);
$recurring_expense_id = intval($_GET['delete_recurring_expense']);
// Get Recurring Expense Details for Logging

2
agent/recurring_expenses.php
View File

@@ -188,7 +188,7 @@ $num_rows = mysqli_fetch_row(mysqli_query($mysqli, "SELECT FOUND_ROWS()"));
<i class="fas fa-fw fa-edit mr-2"></i>Edit
</a>
<div class="dropdown-divider"></div>
<a class="dropdown-item text-danger text-bold confirm-link" href="post.php?delete_recurring_expense=<?php echo $recurring_expense_id; ?>">
<a class="dropdown-item text-danger text-bold confirm-link" href="post.php?delete_recurring_expense=<?= $recurring_expense_id ?>&csrf_token=<?= $_SESSION['csrf_token'] ?>">
<i class="fas fa-fw fa-trash mr-2"></i>Delete
</a>
</div>