Accounts: Add missing CSRF checks

2026-03-11 00:04:50 +00:00 · 2026-03-02 17:35:18 -05:00
parent 3d80d1519e
commit 550980719e
2 changed files with 15 additions and 8 deletions
--- a/agent/post/account.php
+++ b/agent/post/account.php
@@ -7,10 +7,12 @@
 defined('FROM_POST_HANDLER') || die("Direct file access is not allowed");

 if (isset($_POST['add_account'])) {
-    
-    enforceUserPermission('module_financial', 2);
+
    validateCSRFToken($_POST['csrf_token']);

+    enforceUserPermission('module_financial', 2);
+
+
    $name = sanitizeInput($_POST['name']);
    $opening_balance = floatval($_POST['opening_balance']);
    $currency_code = sanitizeInput($_POST['currency_code']);
@@ -27,10 +29,11 @@ if (isset($_POST['add_account'])) {
 }

 if (isset($_POST['edit_account'])) {
-    
-    enforceUserPermission('module_financial', 2);
+
    validateCSRFToken($_POST['csrf_token']);

+    enforceUserPermission('module_financial', 2);
+
    $account_id = intval($_POST['account_id']);
    $name = sanitizeInput($_POST['name']);
    $notes = sanitizeInput($_POST['notes']);
@@ -46,10 +49,11 @@ if (isset($_POST['edit_account'])) {
 }

 if (isset($_GET['archive_account'])) {
-    
-    enforceUserPermission('module_financial', 2);

    validateCSRFToken($_GET['csrf_token']);
+
+    enforceUserPermission('module_financial', 2);
+
    $account_id = intval($_GET['archive_account']);

    $account_name = sanitizeInput(getFieldById('accounts', $account_id, 'account_name'));
@@ -66,7 +70,9 @@ if (isset($_GET['archive_account'])) {

 // Not used anywhere?
 if (isset($_GET['delete_account'])) {
-    
+
+    validateCSRFToken($_GET['csrf_token']);
+
    enforceUserPermission('module_financial', 3);

    $account_id = intval($_GET['delete_account']);