AS1024/itflow
1
0
Fork 0
mirror of https://github.com/itflow-org/itflow synced 2026-03-11 08:14:52 +00:00
Code Issues Packages Projects Releases Wiki Activity

Invoice: Add missing CSRF checks and missing permissions

Browse Source
This commit is contained in:
johnnyq
2026-03-01 22:22:21 -05:00
parent 2c47001b19
commit 4440581f14
10 changed files with 85 additions and 15 deletions
Download Patch File Download Diff File Expand all files Collapse all files

6
agent/invoices.php
View File

@@ -421,18 +421,18 @@ $num_rows = mysqli_fetch_row(mysqli_query($mysqli, "SELECT FOUND_ROWS()"));
</a>
<div class="dropdown-divider"></div>
<?php if (!empty($config_smtp_host)) { ?>
<a class="dropdown-item" href="post.php?email_invoice=<?php echo $invoice_id; ?>">
<a class="dropdown-item" href="post.php?email_invoice=<?= $invoice_id ?>&csrf_token=<?= $_SESSION['csrf_token'] ?>">
<i class="fas fa-fw fa-paper-plane mr-2"></i>Send Email
</a>
<div class="dropdown-divider"></div>
<?php } ?>
<?php if ($invoice_status == 'Draft') { ?>
<a class="dropdown-item" href="post.php?mark_invoice_sent=<?php echo $invoice_id; ?>">
<a class="dropdown-item" href="post.php?mark_invoice_sent=<?= $invoice_id ?>&csrf_token=<?= $_SESSION['csrf_token'] ?>">
<i class="fas fa-fw fa-check mr-2"></i>Mark Sent
</a>
<div class="dropdown-divider"></div>
<?php } ?>
<a class="dropdown-item text-danger text-bold confirm-link" href="post.php?delete_invoice=<?php echo $invoice_id; ?>">
<a class="dropdown-item text-danger text-bold confirm-link" href="post.php?delete_invoice=<?= $invoice_id ?>&csrf_token=<?= $_SESSION['csrf_token'] ?>">
<i class="fas fa-fw fa-trash mr-2"></i>Delete
</a>
</div>