AS1024
/
itflow
mirror of https://github.com/itflow-org/itflow
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Merge pull request #826 from wrongecho/admin-settings-csrf 

Require CSRF token to edit more admin settings
This commit is contained in:
Johnny 2023-11-25 14:07:31 -05:00 committed by GitHub
parent e50fbd76ae 8068cb6081
commit 59aeb1e976
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
19 changed files with 54 additions and 10 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

17
post/setting.php
View File

@ -6,6 +6,7 @@
if (isset($_POST['edit_company'])) {
validateCSRFToken($_POST['csrf_token']);
validateAdminRole();
require_once 'post/setting_company_model.php';
@ -53,6 +54,7 @@ if (isset($_POST['edit_company'])) {
if (isset($_POST['edit_localization'])) {
validateCSRFToken($_POST['csrf_token']);
validateAdminRole();
$locale = sanitizeInput($_POST['locale']);
@ -74,6 +76,7 @@ if (isset($_POST['edit_localization'])) {
if (isset($_POST['edit_mail_smtp_settings'])) {
validateCSRFToken($_POST['csrf_token']);
validateAdminRole();
$config_smtp_host = sanitizeInput($_POST['config_smtp_host']);
@ -95,6 +98,7 @@ if (isset($_POST['edit_mail_smtp_settings'])) {
if (isset($_POST['edit_mail_imap_settings'])) {
validateCSRFToken($_POST['csrf_token']);
validateAdminRole();
$config_imap_host = sanitizeInput($_POST['config_imap_host']);
@ -117,6 +121,7 @@ if (isset($_POST['edit_mail_imap_settings'])) {
if (isset($_POST['edit_mail_from_settings'])) {
validateCSRFToken($_POST['csrf_token']);
validateAdminRole();
$config_mail_from_email = sanitizeInput($_POST['config_mail_from_email']);
@ -144,6 +149,7 @@ if (isset($_POST['edit_mail_from_settings'])) {
if (isset($_POST['test_email_smtp'])) {
validateCSRFToken($_POST['csrf_token']);
validateAdminRole();
$email_from = sanitizeInput($_POST['email_from']);
$email_to = sanitizeInput($_POST['email_to']);
@ -167,6 +173,7 @@ if (isset($_POST['test_email_smtp'])) {
if (isset($_POST['test_email_imap'])) {
validateCSRFToken($_POST['csrf_token']);
validateAdminRole();
// Prepare connection string with encryption (TLS/SSL/<blank>)
@ -188,6 +195,7 @@ if (isset($_POST['test_email_imap'])) {
if (isset($_POST['edit_invoice_settings'])) {
validateCSRFToken($_POST['csrf_token']);
validateAdminRole();
$config_invoice_prefix = sanitizeInput($_POST['config_invoice_prefix']);
@ -212,6 +220,7 @@ if (isset($_POST['edit_invoice_settings'])) {
if (isset($_POST['edit_quote_settings'])) {
validateCSRFToken($_POST['csrf_token']);
validateAdminRole();
$config_quote_prefix = sanitizeInput($_POST['config_quote_prefix']);
@ -254,6 +263,7 @@ if (isset($_POST['edit_ticket_settings'])) {
if (isset($_POST['edit_default_settings'])) {
validateCSRFToken($_POST['csrf_token']);
validateAdminRole();
$start_page = sanitizeInput($_POST['start_page']);
@ -279,6 +289,7 @@ if (isset($_POST['edit_default_settings'])) {
if (isset($_POST['edit_theme_settings'])) {
validateCSRFToken($_POST['csrf_token']);
validateAdminRole();
$theme = preg_replace("/[^0-9a-zA-Z-]/", "", sanitizeInput($_POST['theme']));
@ -295,6 +306,7 @@ if (isset($_POST['edit_theme_settings'])) {
if (isset($_POST['edit_alert_settings'])) {
validateCSRFToken($_POST['csrf_token']);
validateAdminRole();
$config_enable_cron = intval($_POST['config_enable_cron']);
@ -351,6 +363,7 @@ if (isset($_POST['edit_online_payment_settings'])) {
if (isset($_POST['edit_integrations_settings'])) {
validateCSRFToken($_POST['csrf_token']);
validateAdminRole();
$azure_client_id = sanitizeInput($_POST['azure_client_id']);
@ -388,6 +401,8 @@ if (isset($_POST['edit_module_settings'])) {
}
if (isset($_POST['edit_security_settings'])) {
validateCSRFToken($_POST['csrf_token']);
validateAdminRole();
$config_login_message = sanitizeInput($_POST['config_login_message']);
@ -406,6 +421,7 @@ if (isset($_POST['edit_security_settings'])) {
if (isset($_POST['edit_telemetry_settings'])) {
validateCSRFToken($_POST['csrf_token']);
validateAdminRole();
$config_telemetry = intval($_POST['config_telemetry']);
@ -697,6 +713,7 @@ if (isset($_POST['send_telemetry_data'])) {
if (isset($_GET['download_database'])) {
validateCSRFToken($_GET['csrf_token']);
validateAdminRole();
// Get All Table Names From the Database

3
post/tax.php
View File

@ -6,6 +6,7 @@
if (isset($_POST['add_tax'])) {
validateCSRFToken($_POST['csrf_token']);
$name = sanitizeInput($_POST['name']);
$percent = floatval($_POST['percent']);
@ -22,6 +23,7 @@ if (isset($_POST['add_tax'])) {
if (isset($_POST['edit_tax'])) {
validateCSRFToken($_POST['csrf_token']);
$tax_id = intval($_POST['tax_id']);
$name = sanitizeInput($_POST['name']);
$percent = floatval($_POST['percent']);
@ -38,6 +40,7 @@ if (isset($_POST['edit_tax'])) {
}
if (isset($_GET['archive_tax'])) {
validateCSRFToken($_GET['csrf_token']);
$tax_id = intval($_GET['archive_tax']);
mysqli_query($mysqli,"UPDATE taxes SET tax_archived_at = NOW() WHERE tax_id = $tax_id");

1
settings_alerts.php
View File

@ -8,6 +8,7 @@ require_once "inc_all_settings.php";
</div>
<div class="card-body">
<form action="post.php" method="post" autocomplete="off">
<input type="hidden" name="csrf_token" value="<?php echo $_SESSION['csrf_token'] ?>">
<div class="form-group">
<div class="custom-control custom-switch">

2
settings_backup.php
View File

@ -7,7 +7,7 @@ require_once "inc_all_settings.php";
<h3 class="card-title"><i class="fas fa-fw fa-database mr-2"></i>Download Database</h3>
</div>
<div class="card-body" style="text-align: center;">
<a class="btn btn-primary btn-lg p-3" href="post.php?download_database"><i class="fas fa-fw fa-4x fa-download"></i><br><br>Download</a>
<a class="btn btn-primary btn-lg p-3" href="post.php?download_database&csrf_token=<?php echo $_SESSION['csrf_token'] ?>"><i class="fas fa-fw fa-4x fa-download"></i><br><br>Download</a>
</div>
</div>

1
settings_company.php
View File

@ -29,6 +29,7 @@ $company_initials = nullable_htmlentities(initials($company_name));
</div>
<div class="card-body">
<form action="post.php" method="post" enctype="multipart/form-data" autocomplete="off">
<input type="hidden" name="csrf_token" value="<?php echo $_SESSION['csrf_token'] ?>">
<div class="form-group">
<label>Name <strong class="text-danger">*</strong></label>

3
settings_defaults.php
View File

@ -9,6 +9,7 @@ require_once "inc_all_settings.php";
</div>
<div class="card-body">
<form action="post.php" method="post" autocomplete="off">
<input type="hidden" name="csrf_token" value="<?php echo $_SESSION['csrf_token'] ?>">
<div class="form-group">
<label>Start Page</label>
@ -21,7 +22,7 @@ require_once "inc_all_settings.php";
<option selected> <?php echo nullable_htmlentities($config_start_page); ?></option>
<?php } ?>
<?php foreach ($start_page_select_array as $start_page_value => $start_page_name) { ?>
<option <?php if ($start_page_value == $config_start_page) { echo "selected"; } ?>
<option <?php if ($start_page_value == $config_start_page) { echo "selected"; } ?>
value="<?php echo nullable_htmlentities($start_page_value); ?>">
<?php echo nullable_htmlentities($start_page_name); ?>
</option>

1
settings_integrations.php
View File

@ -8,6 +8,7 @@ require_once "inc_all_settings.php";
</div>
<div class="card-body">
<form action="post.php" method="post" autocomplete="off">
<input type="hidden" name="csrf_token" value="<?php echo $_SESSION['csrf_token'] ?>">
<h4>Client Portal SSO via Microsoft Azure AD</h4>
<div class="form-group">

1
settings_invoice.php
View File

@ -8,6 +8,7 @@ require_once "inc_all_settings.php";
</div>
<div class="card-body">
<form action="post.php" method="post" autocomplete="off">
<input type="hidden" name="csrf_token" value="<?php echo $_SESSION['csrf_token'] ?>">
<h4>Invoice</h4>

1
settings_localization.php
View File

@ -19,6 +19,7 @@ $timezones = DateTimeZone::listIdentifiers();
</div>
<div class="card-body">
<form action="post.php" method="post" autocomplete="off">
<input type="hidden" name="csrf_token" value="<?php echo $_SESSION['csrf_token'] ?>">
<div class="form-group">
<label>Language <strong class="text-danger">*</strong></label>

8
settings_mail.php
View File

@ -8,6 +8,7 @@ require_once "inc_all_settings.php";
</div>
<div class="card-body">
<form action="post.php" method="post" autocomplete="off">
<input type="hidden" name="csrf_token" value="<?php echo $_SESSION['csrf_token'] ?>">
<div class="form-group">
<label>SMTP Host</label>
@ -80,6 +81,7 @@ require_once "inc_all_settings.php";
</div>
<div class="card-body">
<form action="post.php" method="post" autocomplete="off">
<input type="hidden" name="csrf_token" value="<?php echo $_SESSION['csrf_token'] ?>">
<div class="form-group">
<label>IMAP Host</label>
@ -154,6 +156,8 @@ require_once "inc_all_settings.php";
</div>
<div class="card-body">
<form action="post.php" method="post" autocomplete="off">
<input type="hidden" name="csrf_token" value="<?php echo $_SESSION['csrf_token'] ?>">
<p>Each of the "From Email" Addresses need to be able to send email on behalf of the SMTP user configured above
<h5>System Default</h5>
<p class="text-secondary">(used for system tasks such as sending share links)</p>
@ -262,6 +266,8 @@ require_once "inc_all_settings.php";
</div>
<div class="card-body">
<form action="post.php" method="post" autocomplete="off">
<input type="hidden" name="csrf_token" value="<?php echo $_SESSION['csrf_token'] ?>">
<div class="input-group">
<select class="form-control select2" name="email_from" required>
<option value="">- Select an Email Address to send from -</option>
@ -308,6 +314,8 @@ require_once "inc_all_settings.php";
</div>
<div class="card-body">
<form action="post.php" method="post" autocomplete="off">
<input type="hidden" name="csrf_token" value="<?php echo $_SESSION['csrf_token'] ?>">
<div class="input-group-append">
<button type="submit" name="test_email_imap" class="btn btn-success"><i class="fas fa-fw fa-inbox mr-2"></i>Test</button>
</div>

1
settings_modules.php
View File

@ -8,6 +8,7 @@ require_once "inc_all_settings.php";
</div>
<div class="card-body">
<form action="post.php" method="post" autocomplete="off">
<input type="hidden" name="csrf_token" value="<?php echo $_SESSION['csrf_token'] ?>">
<div class="form-group">
<div class="custom-control custom-switch">

1
settings_quote.php
View File

@ -8,6 +8,7 @@ require_once "inc_all_settings.php";
</div>
<div class="card-body">
<form action="post.php" method="post" autocomplete="off">
<input type="hidden" name="csrf_token" value="<?php echo $_SESSION['csrf_token'] ?>">
<div class="form-group">
<label>Quote Prefix</label>

1
settings_security.php
View File

@ -9,6 +9,7 @@ require_once "inc_all_settings.php";
</div>
<div class="card-body">
<form action="post.php" method="post" autocomplete="off">
<input type="hidden" name="csrf_token" value="<?php echo $_SESSION['csrf_token'] ?>">
<div class="form-group">
<label>Login Message</label>

4
settings_tax_add_modal.php
View File

@ -8,6 +8,8 @@
</button>
</div>
<form action="post.php" method="post" autocomplete="off">
<input type="hidden" name="csrf_token" value="<?php echo $_SESSION['csrf_token'] ?>">
<div class="modal-body bg-white">
<div class="form-group">
<label>Name <strong class="text-danger">*</strong></label>
@ -25,4 +27,4 @@
</form>
</div>
</div>
</div>
</div>

12
settings_tax_edit_modal.php
View File

@ -8,20 +8,22 @@
</button>
</div>
<form action="post.php" method="post" autocomplete="off">
<input type="hidden" name="csrf_token" value="<?php echo $_SESSION['csrf_token'] ?>">
<input type="hidden" name="tax_id" value="<?php echo $tax_id; ?>">
<div class="modal-body bg-white">
<div class="form-group">
<label>Name <strong class="text-danger">*</strong></label>
<input type="text" class="form-control" name="name" value="<?php echo $tax_name; ?>" required>
</div>
<div class="form-group">
<label>Percent <strong class="text-danger">*</strong></label>
<input type="number" min="0" step="any" class="form-control col-md-4" name="percent" value="<?php echo $tax_percent; ?>">
</div>
</div>
<div class="modal-footer bg-white">
<button type="submit" name="edit_tax" class="btn btn-primary text-bold"><i class="fas fa-check mr-2"></i>Save</button>
@ -30,4 +32,4 @@
</form>
</div>
</div>
</div>
</div>

4
settings_taxes.php
View File

@ -11,7 +11,7 @@ require_once "inc_all_settings.php";
$url_query_strings_sort = http_build_query($get_copy);
$sql = mysqli_query(
$mysqli,
$mysqli,
"SELECT * FROM taxes
WHERE tax_archived_at IS NULL
ORDER BY $sort $order"
@ -60,7 +60,7 @@ $num_rows = mysqli_num_rows($sql);
<i class="fas fa-fw fa-edit mr-2"></i>Edit
</a>
<div class="dropdown-divider"></div>
<a class="dropdown-item text-danger confirm-link" href="post.php?archive_tax=<?php echo $tax_id; ?>">
<a class="dropdown-item text-danger confirm-link" href="post.php?archive_tax=<?php echo $tax_id; ?>&csrf_token=<?php echo $_SESSION['csrf_token'] ?>">
<i class="fas fa-fw fa-archive mr-2"></i>Archive
</a>
</div>

1
settings_telemetry.php
View File

@ -11,6 +11,7 @@ require_once "inc_all_settings.php";
<p class="text-center">Installation ID: <strong><?php echo $installation_id; ?></strong></p>
<form action="post.php" method="post" autocomplete="off">
<input type="hidden" name="csrf_token" value="<?php echo $_SESSION['csrf_token'] ?>">
<div class="form-group">
<label>Telemetry</label>

1
settings_theme.php
View File

@ -8,6 +8,7 @@ require_once "inc_all_settings.php";
</div>
<div class="card-body">
<form action="post.php" method="post" autocomplete="off">
<input type="hidden" name="csrf_token" value="<?php echo $_SESSION['csrf_token'] ?>">
<label>Select a Theme</label>
<div class="form-row">

1
settings_ticket.php
View File

@ -8,6 +8,7 @@ require_once "inc_all_settings.php";
</div>
<div class="card-body">
<form action="post.php" method="post" autocomplete="off">
<input type="hidden" name="csrf_token" value="<?php echo $_SESSION['csrf_token'] ?>">
<div class="form-group">
<label>Ticket Prefix</label>