Invoice: Add missing CSRF checks and missing permissions

2026-03-11 08:14:52 +00:00 · 2026-03-01 22:22:21 -05:00
parent 2c47001b19
commit 4440581f14
10 changed files with 85 additions and 15 deletions
--- a/agent/modals/invoice/invoice_edit.php
+++ b/agent/modals/invoice/invoice_edit.php
@@ -29,6 +29,7 @@ ob_start();
    </button>
 </div>
 <form action="post.php" method="post" autocomplete="off">
+    <input type="hidden" name="csrf_token" value="<?= $_SESSION['csrf_token'] ?>">
    <input type="hidden" name="invoice_id" value="<?php echo $invoice_id; ?>">

    <div class="modal-body" <?php if (lookupUserPermission('module_sales') <= 1) { echo 'inert'; } ?>>