Vendors: Add missing CSRF, need to update the permissions as a vendor can be client or global and permissions need to be set based off if the referal url has client_id or not

2026-03-11 08:14:52 +00:00 · 2026-03-02 17:20:00 -05:00
parent 7e515afb79
commit 5b49908438
9 changed files with 65 additions and 30 deletions
--- a/agent/modals/vendor/vendor_add.php
+++ b/agent/modals/vendor/vendor_add.php
@@ -14,6 +14,7 @@ ob_start();
    </button>
 </div>
 <form action="post.php" method="post" autocomplete="off">
+    <input type="hidden" name="csrf_token" value="<?= $_SESSION['csrf_token'] ?>">
    <input type="hidden" name="client_id" value="<?= $client_id ?>">

    <div class="modal-body">
--- a/agent/modals/vendor/vendor_add_from_template.php
+++ b/agent/modals/vendor/vendor_add_from_template.php
@@ -15,7 +15,7 @@ ob_start();
    </button>
 </div>
 <form action="post.php" method="post" autocomplete="off">
-
+    <input type="hidden" name="csrf_token" value="<?= $_SESSION['csrf_token'] ?>">
    <input type="hidden" name="client_id" value="<?= $client_id ?>">

    <div class="modal-body">
--- a/agent/modals/vendor/vendor_contact_add.php
+++ b/agent/modals/vendor/vendor_contact_add.php
@@ -8,6 +8,7 @@
                </button>
            </div>
            <form action="post.php" method="post" enctype="multipart/form-data" autocomplete="off">
+                <input type="hidden" name="csrf_token" value="<?= $_SESSION['csrf_token'] ?>">
                <input type="hidden" name="vendor_id" value="<?php echo $vendor_id; ?>">
                <div class="modal-body">

@@ -91,4 +92,4 @@
            </form>
        </div>
    </div>
-</div>
+</div>
--- a/agent/modals/vendor/vendor_contact_edit.php
+++ b/agent/modals/vendor/vendor_contact_edit.php
@@ -8,6 +8,7 @@
                </button>
            </div>
            <form action="post.php" method="post" enctype="multipart/form-data" autocomplete="off">
+                <input type="hidden" name="csrf_token" value="<?= $_SESSION['csrf_token'] ?>">
                <input type="hidden" name="vendor_contact_id" value="<?php echo $vendor_contact_id; ?>">

                <div class="modal-body">
--- a/agent/modals/vendor/vendor_edit.php
+++ b/agent/modals/vendor/vendor_edit.php
@@ -33,6 +33,7 @@ ob_start();
    </button>
 </div>
 <form action="post.php" method="post" autocomplete="off">
+    <input type="hidden" name="csrf_token" value="<?= $_SESSION['csrf_token'] ?>">
    <input type="hidden" name="vendor_id" value="<?php echo $vendor_id; ?>">
    <div class="modal-body">

--- a/agent/modals/vendor/vendor_export.php
+++ b/agent/modals/vendor/vendor_export.php
@@ -15,6 +15,7 @@ ob_start();
    </button>
 </div>
 <form action="post.php" method="post" autocomplete="off">
+    <input type="hidden" name="csrf_token" value="<?= $_SESSION['csrf_token'] ?>">
    <input type="hidden" name="client_id" value="<?= $client_id ?>">

    <div class="modal-body">