mirror of
https://github.com/itflow-org/itflow
synced 2026-03-11 00:04:50 +00:00
Invoice: Add missing CSRF checks and missing permissions
This commit is contained in:
johnnyq
@@ -226,12 +226,12 @@ if (isset($_GET['invoice_id'])) {
|
||||
</button>
|
||||
<div class="dropdown-menu">
|
||||
<?php if (!empty($config_smtp_host) && !empty($contact_email)) { ?>
|
||||
<a class="dropdown-item" href="post.php?email_invoice=<?php echo $invoice_id; ?>">
|
||||
<a class="dropdown-item" href="post.php?email_invoice=<?= $invoice_id ?>&csrf_token=<?= $_SESSION['csrf_token'] ?>">
|
||||
<i class="fas fa-fw fa-paper-plane mr-2"></i>Send Email
|
||||
</a>
|
||||
<div class="dropdown-divider"></div>
|
||||
<?php } ?>
|
||||
<a class="dropdown-item" href="post.php?mark_invoice_sent=<?php echo $invoice_id; ?>">
|
||||
<a class="dropdown-item" href="post.php?mark_invoice_sent=<?= $invoice_id ?>&csrf_token=<?= $_SESSION['csrf_token'] ?>">
|
||||
<i class="fas fa-fw fa-check mr-2"></i>Mark Sent
|
||||
</a>
|
||||
</div>
|
||||
@@ -254,7 +254,7 @@ if (isset($_GET['invoice_id'])) {
|
||||
<?php } ?>
|
||||
|
||||
<?php if (($invoice_status == 'Sent' || $invoice_status == 'Viewed') && $invoice_amount == 0 && $invoice_status !== 'Non-Billable') { ?>
|
||||
<a class="btn btn-dark" href="post.php?mark_invoice_non-billable=<?php echo $invoice_id; ?>">
|
||||
<a class="btn btn-dark" href="post.php?mark_invoice_non-billable=<?= $invoice_id ?>&csrf_token=<?= $_SESSION['csrf_token'] ?>">
|
||||
Mark Non-Billable
|
||||
</a>
|
||||
<?php } ?>
|
||||
@@ -285,14 +285,14 @@ if (isset($_GET['invoice_id'])) {
|
||||
<a class="dropdown-item" href="#" onclick="window.print();">
|
||||
<i class="fa fa-fw fa-print text-secondary mr-2"></i>Print
|
||||
</a>
|
||||
<a class="dropdown-item" href="post.php?export_invoice_pdf=<?php echo $invoice_id; ?>" target="_blank">
|
||||
<a class="dropdown-item" href="post.php?export_invoice_pdf=<?= $invoice_id ?>&csrf_token=<?= $_SESSION['csrf_token'] ?>" target="_blank">
|
||||
<i class="fa fa-fw fa-download text-secondary mr-2"></i>Download PDF
|
||||
</a>
|
||||
<a class="dropdown-item" href="post.php?export_invoice_packing_slip=<?php echo $invoice_id; ?>" target="_blank">
|
||||
<a class="dropdown-item" href="post.php?export_invoice_packing_slip=<?= $invoice_id ?>&csrf_token=<?= $_SESSION['csrf_token'] ?>" target="_blank">
|
||||
<i class="fa fa-fw fa-box-open text-secondary mr-2"></i>Packing Slip
|
||||
</a>
|
||||
<?php if (!empty($config_smtp_host) && !empty($contact_email)) { ?>
|
||||
<a class="dropdown-item" href="post.php?email_invoice=<?php echo $invoice_id; ?>">
|
||||
<a class="dropdown-item" href="post.php?email_invoice=<?= $invoice_id ?>&csrf_token=<?= $_SESSION['csrf_token'] ?>">
|
||||
<i class="fa fa-fw fa-paper-plane text-secondary mr-2"></i>Send Email
|
||||
</a>
|
||||
<?php } ?>
|
||||
@@ -301,12 +301,12 @@ if (isset($_GET['invoice_id'])) {
|
||||
</a>
|
||||
<?php if ($invoice_status !== 'Cancelled' && $invoice_status !== 'Paid' && $invoice_status !== 'Non-Billable') { ?>
|
||||
<div class="dropdown-divider"></div>
|
||||
<a class="dropdown-item text-danger text-bold confirm-link" href="post.php?cancel_invoice=<?php echo $invoice_id; ?>">
|
||||
<a class="dropdown-item text-danger text-bold confirm-link" href="post.php?cancel_invoice=<?= $invoice_id ?>&csrf_token=<?= $_SESSION['csrf_token'] ?>">
|
||||
<i class="fa fa-fw fa-times mr-2"></i>Cancel
|
||||
</a>
|
||||
<?php } ?>
|
||||
<div class="dropdown-divider"></div>
|
||||
<a class="dropdown-item text-danger text-bold confirm-link" href="post.php?delete_invoice=<?php echo $invoice_id; ?>">
|
||||
<a class="dropdown-item text-danger text-bold confirm-link" href="post.php?delete_invoice=<?= $invoice_id ?>&csrf_token=<?= $_SESSION['csrf_token'] ?>">
|
||||
<i class="fas fa-fw fa-trash mr-2"></i>Delete
|
||||
</a>
|
||||
</div>
|
||||
@@ -430,7 +430,7 @@ if (isset($_GET['invoice_id'])) {
|
||||
<i class="fa fa-fw fa-edit mr-2"></i>Edit
|
||||
</a>
|
||||
<div class="dropdown-divider"></div>
|
||||
<a class="dropdown-item text-danger confirm-link" href="post.php?delete_invoice_item=<?php echo $item_id; ?>"><i class="fa fa-fw fa-trash mr-2"></i>Delete</a>
|
||||
<a class="dropdown-item text-danger confirm-link" href="post.php?delete_invoice_item=<?= $item_id ?>&csrf_token=<?= $_SESSION['csrf_token'] ?>"><i class="fa fa-fw fa-trash mr-2"></i>Delete</a>
|
||||
</div>
|
||||
</div>
|
||||
</div>
|
||||
@@ -449,6 +449,7 @@ if (isset($_GET['invoice_id'])) {
|
||||
?>
|
||||
<tr class="d-print-none" <?php if ($invoice_status == "Paid" || $invoice_status == "Cancelled" || lookupUserPermission("module_sales") <= 1) { echo "hidden"; } ?>>
|
||||
<form action="post.php" method="post" autocomplete="off">
|
||||
<input type="hidden" name="csrf_token" value="<?= $_SESSION['csrf_token'] ?>">
|
||||
<input type="hidden" name="invoice_id" value="<?= $invoice_id ?>">
|
||||
<input type="hidden" id="product_id" name="product_id" value="<?= $item_product_id ?? 0 ?>">
|
||||
<input type="hidden" name="item_order" value="<?php echo mysqli_num_rows($sql_invoice_items) + 1; ?>">
|
||||
@@ -656,7 +657,7 @@ if (isset($_GET['invoice_id'])) {
|
||||
<td class="text-right"><?php echo numfmt_format_currency($currency_format, $payment_amount, $payment_currency_code); ?></td>
|
||||
<td><?php echo $payment_reference; ?></td>
|
||||
<td><?php echo $account_name; ?></td>
|
||||
<td class="text-center"><a class="btn btn-light text-danger confirm-link" href="post.php?delete_payment=<?php echo $payment_id; ?>"><i class="fa fa-times"></i></a></td>
|
||||
<td class="text-center"><a class="btn btn-light text-danger confirm-link" href="post.php?delete_payment=<?= $payment_id ?>&csrf_token=<?= $_SESSION['csrf_token'] ?>"><i class="fa fa-times"></i></a></td>
|
||||
</tr>
|
||||
<?php
|
||||
}
|
||||
|
||||
@@ -421,18 +421,18 @@ $num_rows = mysqli_fetch_row(mysqli_query($mysqli, "SELECT FOUND_ROWS()"));
|
||||
</a>
|
||||
<div class="dropdown-divider"></div>
|
||||
<?php if (!empty($config_smtp_host)) { ?>
|
||||
<a class="dropdown-item" href="post.php?email_invoice=<?php echo $invoice_id; ?>">
|
||||
<a class="dropdown-item" href="post.php?email_invoice=<?= $invoice_id ?>&csrf_token=<?= $_SESSION['csrf_token'] ?>">
|
||||
<i class="fas fa-fw fa-paper-plane mr-2"></i>Send Email
|
||||
</a>
|
||||
<div class="dropdown-divider"></div>
|
||||
<?php } ?>
|
||||
<?php if ($invoice_status == 'Draft') { ?>
|
||||
<a class="dropdown-item" href="post.php?mark_invoice_sent=<?php echo $invoice_id; ?>">
|
||||
<a class="dropdown-item" href="post.php?mark_invoice_sent=<?= $invoice_id ?>&csrf_token=<?= $_SESSION['csrf_token'] ?>">
|
||||
<i class="fas fa-fw fa-check mr-2"></i>Mark Sent
|
||||
</a>
|
||||
<div class="dropdown-divider"></div>
|
||||
<?php } ?>
|
||||
<a class="dropdown-item text-danger text-bold confirm-link" href="post.php?delete_invoice=<?php echo $invoice_id; ?>">
|
||||
<a class="dropdown-item text-danger text-bold confirm-link" href="post.php?delete_invoice=<?= $invoice_id ?>&csrf_token=<?= $_SESSION['csrf_token'] ?>">
|
||||
<i class="fas fa-fw fa-trash mr-2"></i>Delete
|
||||
</a>
|
||||
</div>
|
||||
|
||||
@@ -14,6 +14,7 @@ ob_start();
|
||||
</button>
|
||||
</div>
|
||||
<form action="post.php" method="post" autocomplete="off">
|
||||
<input type="hidden" name="csrf_token" value="<?= $_SESSION['csrf_token'] ?>">
|
||||
|
||||
<div class="modal-body">
|
||||
|
||||
|
||||
@@ -22,6 +22,7 @@ ob_start();
|
||||
</button>
|
||||
</div>
|
||||
<form action="post.php" method="post" autocomplete="off">
|
||||
<input type="hidden" name="csrf_token" value="<?= $_SESSION['csrf_token'] ?>">
|
||||
<input type="hidden" name="invoice_id" value="<?php echo $invoice_id; ?>">
|
||||
|
||||
<div class="modal-body">
|
||||
|
||||
@@ -29,6 +29,7 @@ ob_start();
|
||||
</button>
|
||||
</div>
|
||||
<form action="post.php" method="post" autocomplete="off">
|
||||
<input type="hidden" name="csrf_token" value="<?= $_SESSION['csrf_token'] ?>">
|
||||
<input type="hidden" name="invoice_id" value="<?php echo $invoice_id; ?>">
|
||||
|
||||
<div class="modal-body" <?php if (lookupUserPermission('module_sales') <= 1) { echo 'inert'; } ?>>
|
||||
|
||||
@@ -15,6 +15,7 @@ ob_start();
|
||||
</button>
|
||||
</div>
|
||||
<form action="post.php" method="post" autocomplete="off">
|
||||
<input type="hidden" name="csrf_token" value="<?= $_SESSION['csrf_token'] ?>">
|
||||
<input type="hidden" name="client_id" value="<?= $client_id ?>">
|
||||
<div class="modal-body">
|
||||
|
||||
|
||||
@@ -8,8 +8,9 @@
|
||||
</button>
|
||||
</div>
|
||||
<form action="post.php" method="post" autocomplete="off">
|
||||
<input type="hidden" name="csrf_token" value="<?= $_SESSION['csrf_token'] ?>">
|
||||
<input type="hidden" name="invoice_id" value="<?php echo $invoice_id; ?>">
|
||||
<div class="modal-body">
|
||||
<div class="modal-body">
|
||||
<div class="form-group">
|
||||
<textarea class="form-control" rows="8" name="note" placeholder="Enter some notes"><?php echo $invoice_note; ?></textarea>
|
||||
</div>
|
||||
@@ -21,4 +22,4 @@
|
||||
</form>
|
||||
</div>
|
||||
</div>
|
||||
</div>
|
||||
</div>
|
||||
|
||||
@@ -20,6 +20,7 @@ ob_start();
|
||||
</button>
|
||||
</div>
|
||||
<form action="post.php" method="post" autocomplete="off">
|
||||
<input type="hidden" name="csrf_token" value="<?= $_SESSION['csrf_token'] ?>">
|
||||
<input type="hidden" name="invoice_id" value="<?= $invoice_id ?>">
|
||||
<div class="modal-body">
|
||||
<div class="form-group">
|
||||
|
||||
@@ -25,6 +25,7 @@ ob_start();
|
||||
</button>
|
||||
</div>
|
||||
<form action="post.php" method="post" autocomplete="off">
|
||||
<input type="hidden" name="csrf_token" value="<?= $_SESSION['csrf_token'] ?>">
|
||||
<input type="hidden" name="item_id" value="<?php echo $item_id; ?>">
|
||||
<input type="hidden" name="product_id" value="<?php echo $product_id; ?>">
|
||||
|
||||
|
||||
@@ -8,6 +8,10 @@ defined('FROM_POST_HANDLER') || die("Direct file access is not allowed");
|
||||
|
||||
if (isset($_POST['add_invoice'])) {
|
||||
|
||||
validateCSRFToken($_POST['csrf_token']);
|
||||
|
||||
enforceUserPermission('module_sales', 2);
|
||||
|
||||
require_once 'invoice_model.php';
|
||||
|
||||
$client_id = intval($_POST['client']);
|
||||
@@ -49,6 +53,10 @@ if (isset($_POST['add_invoice'])) {
|
||||
|
||||
if (isset($_POST['edit_invoice'])) {
|
||||
|
||||
validateCSRFToken($_POST['csrf_token']);
|
||||
|
||||
enforceUserPermission('module_sales', 2);
|
||||
|
||||
require_once 'invoice_model.php';
|
||||
|
||||
$invoice_id = intval($_POST['invoice_id']);
|
||||
@@ -83,6 +91,10 @@ if (isset($_POST['edit_invoice'])) {
|
||||
|
||||
if (isset($_POST['add_invoice_copy'])) {
|
||||
|
||||
validateCSRFToken($_POST['csrf_token']);
|
||||
|
||||
enforceUserPermission('module_sales', 2);
|
||||
|
||||
$invoice_id = intval($_POST['invoice_id']);
|
||||
$date = sanitizeInput($_POST['date']);
|
||||
|
||||
@@ -148,6 +160,10 @@ if (isset($_POST['add_invoice_copy'])) {
|
||||
|
||||
if (isset($_GET['mark_invoice_sent'])) {
|
||||
|
||||
validateCSRFToken($_GET['csrf_token']);
|
||||
|
||||
enforceUserPermission('module_sales', 2);
|
||||
|
||||
$invoice_id = intval($_GET['mark_invoice_sent']);
|
||||
|
||||
// Get Invoice Number and Prefix and Client ID for Logging
|
||||
@@ -171,6 +187,10 @@ if (isset($_GET['mark_invoice_sent'])) {
|
||||
|
||||
if (isset($_GET['mark_invoice_non-billable'])) {
|
||||
|
||||
validateCSRFToken($_GET['csrf_token']);
|
||||
|
||||
enforceUserPermission('module_sales', 2);
|
||||
|
||||
$invoice_id = intval($_GET['mark_invoice_non-billable']);
|
||||
|
||||
// Get Invoice Number and Prefix and Client ID for Logging
|
||||
@@ -194,6 +214,10 @@ if (isset($_GET['mark_invoice_non-billable'])) {
|
||||
|
||||
if (isset($_GET['cancel_invoice'])) {
|
||||
|
||||
validateCSRFToken($_GET['csrf_token']);
|
||||
|
||||
enforceUserPermission('module_sales', 2);
|
||||
|
||||
$invoice_id = intval($_GET['cancel_invoice']);
|
||||
|
||||
// Get Invoice Number and Prefix and Client ID for Logging
|
||||
@@ -217,6 +241,10 @@ if (isset($_GET['cancel_invoice'])) {
|
||||
|
||||
if (isset($_GET['delete_invoice'])) {
|
||||
|
||||
validateCSRFToken($_GET['csrf_token']);
|
||||
|
||||
enforceUserPermission('module_sales', 3);
|
||||
|
||||
$invoice_id = intval($_GET['delete_invoice']);
|
||||
|
||||
// Get Invoice Number and Prefix and Client ID for Logging
|
||||
@@ -262,6 +290,8 @@ if (isset($_GET['delete_invoice'])) {
|
||||
|
||||
if (isset($_POST['add_invoice_item'])) {
|
||||
|
||||
validateCSRFToken($_POST['csrf_token']);
|
||||
|
||||
enforceUserPermission('module_sales', 2);
|
||||
|
||||
$invoice_id = intval($_POST['invoice_id']);
|
||||
@@ -345,6 +375,8 @@ if (isset($_POST['add_invoice_item'])) {
|
||||
|
||||
if (isset($_POST['invoice_note'])) {
|
||||
|
||||
validateCSRFToken($_POST['csrf_token']);
|
||||
|
||||
enforceUserPermission('module_sales', 2);
|
||||
|
||||
$invoice_id = intval($_POST['invoice_id']);
|
||||
@@ -369,6 +401,8 @@ if (isset($_POST['invoice_note'])) {
|
||||
|
||||
if (isset($_POST['edit_item'])) {
|
||||
|
||||
validateCSRFToken($_POST['csrf_token']);
|
||||
|
||||
enforceUserPermission('module_sales', 2);
|
||||
|
||||
$item_id = intval($_POST['item_id']);
|
||||
@@ -469,6 +503,8 @@ if (isset($_POST['edit_item'])) {
|
||||
|
||||
if (isset($_GET['delete_invoice_item'])) {
|
||||
|
||||
validateCSRFToken($_GET['csrf_token']);
|
||||
|
||||
enforceUserPermission('module_sales', 2);
|
||||
|
||||
$item_id = intval($_GET['delete_invoice_item']);
|
||||
@@ -510,6 +546,10 @@ if (isset($_GET['delete_invoice_item'])) {
|
||||
|
||||
if (isset($_GET['email_invoice'])) {
|
||||
|
||||
validateCSRFToken($_GET['csrf_token']);
|
||||
|
||||
enforceUserPermission('module_sales', 2);
|
||||
|
||||
$invoice_id = intval($_GET['email_invoice']);
|
||||
|
||||
$sql = mysqli_query($mysqli,"SELECT * FROM invoices
|
||||
@@ -632,6 +672,8 @@ if (isset($_GET['email_invoice'])) {
|
||||
|
||||
if (isset($_POST['export_invoices_csv'])) {
|
||||
|
||||
validateCSRFToken($_POST['csrf_token']);
|
||||
|
||||
enforceUserPermission('module_sales');
|
||||
|
||||
if ($_POST['client_id']) {
|
||||
@@ -697,6 +739,10 @@ if (isset($_POST['export_invoices_csv'])) {
|
||||
|
||||
if (isset($_POST['link_invoice_to_ticket'])) {
|
||||
|
||||
validateCSRFToken($_POST['csrf_token']);
|
||||
|
||||
enforceUserPermission('module_sales', 2);
|
||||
|
||||
$invoice_id = intval($_POST['invoice_id']);
|
||||
$ticket_id = intval($_POST['ticket_id']);
|
||||
|
||||
@@ -710,6 +756,10 @@ if (isset($_POST['link_invoice_to_ticket'])) {
|
||||
|
||||
if (isset($_POST['add_ticket_to_invoice'])) {
|
||||
|
||||
validateCSRFToken($_POST['csrf_token']);
|
||||
|
||||
enforceUserPermission('module_sales', 2);
|
||||
|
||||
$invoice_id = intval($_POST['invoice_id']);
|
||||
$ticket_id = intval($_POST['ticket_id']);
|
||||
|
||||
@@ -723,6 +773,10 @@ if (isset($_POST['add_ticket_to_invoice'])) {
|
||||
|
||||
if (isset($_GET['export_invoice_pdf'])) {
|
||||
|
||||
validateCSRFToken($_GET['csrf_token']);
|
||||
|
||||
enforceUserPermission('module_sales');
|
||||
|
||||
$invoice_id = intval($_GET['export_invoice_pdf']);
|
||||
|
||||
$sql = mysqli_query(
|
||||
@@ -946,6 +1000,10 @@ if (isset($_GET['export_invoice_pdf'])) {
|
||||
|
||||
if (isset($_GET['export_invoice_packing_slip'])) {
|
||||
|
||||
validateCSRFToken($_GET['csrf_token']);
|
||||
|
||||
enforceUserPermission('module_sales');
|
||||
|
||||
$invoice_id = intval($_GET['export_invoice_packing_slip']);
|
||||
|
||||
$sql = mysqli_query(
|
||||
@@ -1087,6 +1145,10 @@ if (isset($_GET['export_invoice_packing_slip'])) {
|
||||
|
||||
if (isset($_POST['bulk_edit_invoice_category'])) {
|
||||
|
||||
validateCSRFToken($_POST['csrf_token']);
|
||||
|
||||
enforceUserPermission('module_sales', 2);
|
||||
|
||||
$category_id = intval($_POST['bulk_category_id']);
|
||||
|
||||
// Get Category name for logging and Notification
|
||||
|
||||
Reference in New Issue
Block a user