AS1024/itflow
1
0
Fork 0
mirror of https://github.com/itflow-org/itflow synced 2026-03-11 08:14:52 +00:00
Code Issues Packages Projects Releases Wiki Activity

Accounts: Add missing CSRF checks

Browse Source
This commit is contained in:
johnnyq
2026-03-02 17:35:18 -05:00
parent 3d80d1519e
commit 550980719e
2 changed files with 15 additions and 8 deletions
Download Patch File Download Diff File Expand all files Collapse all files

3
agent/modals/account/account_edit.php
View File

@@ -21,8 +21,9 @@ ob_start();
</button>
</div>
<form action="post.php" method="post" autocomplete="off">
<input type="hidden" name="account_id" value="<?php echo $account_id; ?>">
<input type="hidden" name="csrf_token" value="<?php echo $_SESSION['csrf_token'] ?>">
<input type="hidden" name="account_id" value="<?php echo $account_id; ?>">
<div class="modal-body">
<div class="form-group">
<label>Account Name <strong class="text-danger">*</strong></label>

20
agent/post/account.php
View File

@@ -7,10 +7,12 @@
defined('FROM_POST_HANDLER') || die("Direct file access is not allowed");
if (isset($_POST['add_account'])) {
enforceUserPermission('module_financial', 2);
validateCSRFToken($_POST['csrf_token']);
enforceUserPermission('module_financial', 2);
$name = sanitizeInput($_POST['name']);
$opening_balance = floatval($_POST['opening_balance']);
$currency_code = sanitizeInput($_POST['currency_code']);
@@ -27,10 +29,11 @@ if (isset($_POST['add_account'])) {
}
if (isset($_POST['edit_account'])) {
enforceUserPermission('module_financial', 2);
validateCSRFToken($_POST['csrf_token']);
enforceUserPermission('module_financial', 2);
$account_id = intval($_POST['account_id']);
$name = sanitizeInput($_POST['name']);
$notes = sanitizeInput($_POST['notes']);
@@ -46,10 +49,11 @@ if (isset($_POST['edit_account'])) {
}
if (isset($_GET['archive_account'])) {
enforceUserPermission('module_financial', 2);
validateCSRFToken($_GET['csrf_token']);
enforceUserPermission('module_financial', 2);
$account_id = intval($_GET['archive_account']);
$account_name = sanitizeInput(getFieldById('accounts', $account_id, 'account_name'));
@@ -66,7 +70,9 @@ if (isset($_GET['archive_account'])) {
// Not used anywhere?
if (isset($_GET['delete_account'])) {
validateCSRFToken($_GET['csrf_token']);
enforceUserPermission('module_financial', 3);
$account_id = intval($_GET['delete_account']);