AS1024/itflow
1
0
Fork 0
mirror of https://github.com/itflow-org/itflow synced 2026-03-11 00:04:50 +00:00
Code Issues Packages Projects Releases Wiki Activity

Vendors: Add missing CSRF, need to update the permissions as a vendor can be client or global and permissions need to be set based off if the referal url has client_id or not

Browse Source
This commit is contained in:
johnnyq
2026-03-02 17:20:00 -05:00
parent 7e515afb79
commit 5b49908438
9 changed files with 65 additions and 30 deletions
Download Patch File Download Diff File Expand all files Collapse all files

1
agent/modals/vendor/vendor_add.php vendored
View File

@@ -14,6 +14,7 @@ ob_start();
</button> </button>
</div> </div>
<form action="post.php" method="post" autocomplete="off"> <form action="post.php" method="post" autocomplete="off">
<input type="hidden" name="csrf_token" value="<?= $_SESSION['csrf_token'] ?>">
<input type="hidden" name="client_id" value="<?= $client_id ?>"> <input type="hidden" name="client_id" value="<?= $client_id ?>">
<div class="modal-body"> <div class="modal-body">

2
agent/modals/vendor/vendor_add_from_template.php vendored
View File

@@ -15,7 +15,7 @@ ob_start();
</button> </button>
</div> </div>
<form action="post.php" method="post" autocomplete="off"> <form action="post.php" method="post" autocomplete="off">
<input type="hidden" name="csrf_token" value="<?= $_SESSION['csrf_token'] ?>">
<input type="hidden" name="client_id" value="<?= $client_id ?>"> <input type="hidden" name="client_id" value="<?= $client_id ?>">
<div class="modal-body"> <div class="modal-body">

1
agent/modals/vendor/vendor_contact_add.php vendored
View File

@@ -8,6 +8,7 @@
</button> </button>
</div> </div>
<form action="post.php" method="post" enctype="multipart/form-data" autocomplete="off"> <form action="post.php" method="post" enctype="multipart/form-data" autocomplete="off">
<input type="hidden" name="csrf_token" value="<?= $_SESSION['csrf_token'] ?>">
<input type="hidden" name="vendor_id" value="<?php echo $vendor_id; ?>"> <input type="hidden" name="vendor_id" value="<?php echo $vendor_id; ?>">
<div class="modal-body"> <div class="modal-body">

1
agent/modals/vendor/vendor_contact_edit.php vendored
View File

@@ -8,6 +8,7 @@
</button> </button>
</div> </div>
<form action="post.php" method="post" enctype="multipart/form-data" autocomplete="off"> <form action="post.php" method="post" enctype="multipart/form-data" autocomplete="off">
<input type="hidden" name="csrf_token" value="<?= $_SESSION['csrf_token'] ?>">
<input type="hidden" name="vendor_contact_id" value="<?php echo $vendor_contact_id; ?>"> <input type="hidden" name="vendor_contact_id" value="<?php echo $vendor_contact_id; ?>">
<div class="modal-body"> <div class="modal-body">

1
agent/modals/vendor/vendor_edit.php vendored
View File

@@ -33,6 +33,7 @@ ob_start();
</button> </button>
</div> </div>
<form action="post.php" method="post" autocomplete="off"> <form action="post.php" method="post" autocomplete="off">
<input type="hidden" name="csrf_token" value="<?= $_SESSION['csrf_token'] ?>">
<input type="hidden" name="vendor_id" value="<?php echo $vendor_id; ?>"> <input type="hidden" name="vendor_id" value="<?php echo $vendor_id; ?>">
<div class="modal-body"> <div class="modal-body">

1
agent/modals/vendor/vendor_export.php vendored
View File

@@ -15,6 +15,7 @@ ob_start();
</button> </button>
</div> </div>
<form action="post.php" method="post" autocomplete="off"> <form action="post.php" method="post" autocomplete="off">
<input type="hidden" name="csrf_token" value="<?= $_SESSION['csrf_token'] ?>">
<input type="hidden" name="client_id" value="<?= $client_id ?>"> <input type="hidden" name="client_id" value="<?= $client_id ?>">
<div class="modal-body"> <div class="modal-body">

36
agent/post/vendor.php
View File

@@ -4,10 +4,14 @@
* ITFlow - GET/POST request handler for vendors * ITFlow - GET/POST request handler for vendors
*/ */
// Todo: 2026-03-02 JQ - Need Permssions reworked as we have client vendors and Global Vendors basically check the referral url if it has client_id then Perm check client else perm check financial.
defined('FROM_POST_HANDLER') || die("Direct file access is not allowed"); defined('FROM_POST_HANDLER') || die("Direct file access is not allowed");
if (isset($_POST['add_vendor_from_template'])) { if (isset($_POST['add_vendor_from_template'])) {
validateCSRFToken($_POST['csrf_token']);
// GET POST Data // GET POST Data
$client_id = intval($_POST['client_id']); //Used if this vendor is under a contact otherwise its 0 for under company and or template $client_id = intval($_POST['client_id']); //Used if this vendor is under a contact otherwise its 0 for under company and or template
$vendor_template_id = intval($_POST['vendor_template_id']); $vendor_template_id = intval($_POST['vendor_template_id']);
@@ -48,6 +52,8 @@ if (isset($_POST['add_vendor_from_template'])) {
if (isset($_POST['add_vendor'])) { if (isset($_POST['add_vendor'])) {
validateCSRFToken($_POST['csrf_token']);
require_once 'vendor_model.php'; require_once 'vendor_model.php';
$client_id = intval($_POST['client_id']); // Used if this vendor is under a contact otherwise its 0 for under company $client_id = intval($_POST['client_id']); // Used if this vendor is under a contact otherwise its 0 for under company
@@ -66,6 +72,8 @@ if (isset($_POST['add_vendor'])) {
if (isset($_POST['edit_vendor'])) { if (isset($_POST['edit_vendor'])) {
validateCSRFToken($_POST['csrf_token']);
require_once 'vendor_model.php'; require_once 'vendor_model.php';
$vendor_id = intval($_POST['vendor_id']); $vendor_id = intval($_POST['vendor_id']);
@@ -86,6 +94,8 @@ if (isset($_POST['edit_vendor'])) {
if (isset($_GET['archive_vendor'])) { if (isset($_GET['archive_vendor'])) {
validateCSRFToken($_GET['csrf_token']);
$vendor_id = intval($_GET['archive_vendor']); $vendor_id = intval($_GET['archive_vendor']);
//Get Vendor Name //Get Vendor Name
@@ -104,9 +114,11 @@ if (isset($_GET['archive_vendor'])) {
} }
if(isset($_GET['unarchive_vendor'])){ if(isset($_GET['restore_vendor'])){
$vendor_id = intval($_GET['unarchive_vendor']); validateCSRFToken($_GET['csrf_token']);
$vendor_id = intval($_GET['restore_vendor']);
// Get Name and Client ID for logging and alert message // Get Name and Client ID for logging and alert message
$sql = mysqli_query($mysqli,"SELECT vendor_name, vendor_client_id FROM vendors WHERE vendor_id = $vendor_id"); $sql = mysqli_query($mysqli,"SELECT vendor_name, vendor_client_id FROM vendors WHERE vendor_id = $vendor_id");
@@ -116,7 +128,7 @@ if(isset($_GET['unarchive_vendor'])){
mysqli_query($mysqli,"UPDATE vendors SET vendor_archived_at = NULL WHERE vendor_id = $vendor_id"); mysqli_query($mysqli,"UPDATE vendors SET vendor_archived_at = NULL WHERE vendor_id = $vendor_id");
logAction("Vendor", "Unarchive", "$session_name unarchived vendor $vendor_name", $client_id, $vendor_id); logAction("Vendor", "Restore", "$session_name restored vendor $vendor_name", $client_id, $vendor_id);
flash_alert("Vendor <strong>$vendor_name</strong> restored"); flash_alert("Vendor <strong>$vendor_name</strong> restored");
@@ -126,6 +138,10 @@ if(isset($_GET['unarchive_vendor'])){
if (isset($_GET['delete_vendor'])) { if (isset($_GET['delete_vendor'])) {
validateCSRFToken($_GET['csrf_token']);
validateAdminRole();
$vendor_id = intval($_GET['delete_vendor']); $vendor_id = intval($_GET['delete_vendor']);
//Get Vendor Name //Get Vendor Name
@@ -154,8 +170,6 @@ if (isset($_POST['bulk_archive_vendors'])) {
validateCSRFToken($_POST['csrf_token']); validateCSRFToken($_POST['csrf_token']);
validateAdminRole();
if (isset($_POST['vendor_ids'])) { if (isset($_POST['vendor_ids'])) {
// Get Selected Count // Get Selected Count
@@ -187,12 +201,10 @@ if (isset($_POST['bulk_archive_vendors'])) {
} }
if (isset($_POST['bulk_unarchive_vendors'])) { if (isset($_POST['bulk_restore_vendors'])) {
validateCSRFToken($_POST['csrf_token']); validateCSRFToken($_POST['csrf_token']);
validateAdminRole();
if (isset($_POST['vendor_ids'])) { if (isset($_POST['vendor_ids'])) {
// Get Selected Count // Get Selected Count
@@ -211,13 +223,13 @@ if (isset($_POST['bulk_unarchive_vendors'])) {
mysqli_query($mysqli,"UPDATE vendors SET vendor_archived_at = NULL WHERE vendor_id = $vendor_id"); mysqli_query($mysqli,"UPDATE vendors SET vendor_archived_at = NULL WHERE vendor_id = $vendor_id");
logAction("Vendor", "Unarchive", "$session_name unarchived vendor $vendor_name", $client_id, $vendor_id); logAction("Vendor", "Restore", "$session_name restored vendor $vendor_name", $client_id, $vendor_id);
} }
logAction("Vendor", "Bulk Unarchive", "$session_name unarchived $count vendor(s)"); logAction("Vendor", "Bulk Restore", "$session_name restored $count vendor(s)");
flash_alert("Unarchived <strong>$count</strong> vendor(s)"); flash_alert("Restored <strong>$count</strong> vendor(s)");
} }
@@ -271,6 +283,8 @@ if (isset($_POST['bulk_delete_vendors'])) {
if (isset($_POST['export_vendors_csv'])) { if (isset($_POST['export_vendors_csv'])) {
validateCSRFToken($_POST['csrf_token']);
if ($_POST['client_id']) { if ($_POST['client_id']) {
$client_id = intval($_POST['client_id']); $client_id = intval($_POST['client_id']);
$client_query = "WHERE vendor_client_id = $client_id"; $client_query = "WHERE vendor_client_id = $client_id";

38
agent/post/vendor_contact.php
View File

@@ -8,6 +8,8 @@ defined('FROM_POST_HANDLER') || die("Direct file access is not allowed");
if (isset($_POST['add_vendor_contact'])) { if (isset($_POST['add_vendor_contact'])) {
validateCSRFToken($_POST['csrf_token']);
enforceUserPermission('module_client', 2); enforceUserPermission('module_client', 2);
require_once 'post/user/vendor_contact_model.php'; require_once 'post/user/vendor_contact_model.php';
@@ -28,6 +30,8 @@ if (isset($_POST['add_vendor_contact'])) {
if (isset($_POST['edit_vendor_contact'])) { if (isset($_POST['edit_vendor_contact'])) {
validateCSRFToken($_POST['csrf_token']);
enforceUserPermission('module_client', 2); enforceUserPermission('module_client', 2);
require_once 'post/user/vendor_contact_model.php'; require_once 'post/user/vendor_contact_model.php';
@@ -48,7 +52,7 @@ if (isset($_POST['edit_vendor_contact'])) {
if (isset($_POST['bulk_archive_vendor_contacts'])) { if (isset($_POST['bulk_archive_vendor_contacts'])) {
//validateCSRFToken($_POST['csrf_token']); validateCSRFToken($_POST['csrf_token']);
enforceUserPermission('module_client', 2); enforceUserPermission('module_client', 2);
@@ -79,9 +83,9 @@ if (isset($_POST['bulk_archive_vendor_contacts'])) {
} }
if (isset($_POST['bulk_unarchive_vendor_contacts'])) { if (isset($_POST['bulk_restore_vendor_contacts'])) {
//validateCSRFToken($_POST['csrf_token']); validateCSRFToken($_POST['csrf_token']);
enforceUserPermission('module_client', 2); enforceUserPermission('module_client', 2);
@@ -109,13 +113,13 @@ if (isset($_POST['bulk_unarchive_vendor_contacts'])) {
mysqli_query($mysqli,"UPDATE contacts SET contact_archived_at = NULL WHERE contact_id = $contact_id"); mysqli_query($mysqli,"UPDATE contacts SET contact_archived_at = NULL WHERE contact_id = $contact_id");
logAction("Contact", "Unarchive", "$session_name unarchived $contact_name", $client_id, $contact_id); logAction("Contact", "Restore", "$session_name restored $contact_name", $client_id, $contact_id);
} }
logAction("Contact", "Bulk Unarchive", "$session_name Unarchived $count contacts", $client_id); logAction("Contact", "Bulk Restore", "$session_name restored $count contacts", $client_id);
flash_alert("You unarchived <strong>$count</strong> contact(s)"); flash_alert("Restored <strong>$count</strong> contact(s)");
} }
@@ -178,6 +182,8 @@ if (isset($_POST['bulk_delete_vendor_contacts'])) {
if (isset($_GET['archive_vendor_contact'])) { if (isset($_GET['archive_vendor_contact'])) {
validateCSRFToken($_GET['csrf_token']);
enforceUserPermission('module_client', 2); enforceUserPermission('module_client', 2);
$contact_id = intval($_GET['archive_contact']); $contact_id = intval($_GET['archive_contact']);
@@ -204,11 +210,13 @@ if (isset($_GET['archive_vendor_contact'])) {
} }
if (isset($_GET['unarchive_vendor_contact'])) { if (isset($_GET['restore_vendor_contact'])) {
validateAdminRole(); validateCSRFToken($_GET['csrf_token']);
$contact_id = intval($_GET['unarchive_contact']); enforceUserPermission('module_client', 2);
$contact_id = intval($_GET['restre_contact']);
// Get Contact Name and Client ID for logging and alert message // Get Contact Name and Client ID for logging and alert message
$sql = mysqli_query($mysqli,"SELECT contact_name, contact_client_id, contact_user_id FROM contacts WHERE contact_id = $contact_id"); $sql = mysqli_query($mysqli,"SELECT contact_name, contact_client_id, contact_user_id FROM contacts WHERE contact_id = $contact_id");
@@ -224,9 +232,9 @@ if (isset($_GET['unarchive_vendor_contact'])) {
mysqli_query($mysqli,"UPDATE contacts SET contact_archived_at = NULL WHERE contact_id = $contact_id"); mysqli_query($mysqli,"UPDATE contacts SET contact_archived_at = NULL WHERE contact_id = $contact_id");
logAction("Contact", "Unarchive", "$session_name unarchived contact $contact_name", $client_id, $contact_id); logAction("Contact", "Restore", "$session_name restored contact $contact_name", $client_id, $contact_id);
flash_alert("Contact <strong>$contact_name</strong> has been Unarchived"); flash_alert("Contact <strong>$contact_name</strong> Restored");
redirect(); redirect();
@@ -234,6 +242,8 @@ if (isset($_GET['unarchive_vendor_contact'])) {
if (isset($_GET['delete_vendor_contact'])) { if (isset($_GET['delete_vendor_contact'])) {
validateCSRFToken($_GET['csrf_token']);
enforceUserPermission('module_client', 3); enforceUserPermission('module_client', 3);
$contact_id = intval($_GET['delete_contact']); $contact_id = intval($_GET['delete_contact']);
@@ -270,6 +280,8 @@ if (isset($_GET['delete_vendor_contact'])) {
if (isset($_POST['export_vendor_contacts_csv'])) { if (isset($_POST['export_vendor_contacts_csv'])) {
validateCSRFToken($_POST['csrf_token']);
enforceUserPermission('module_client'); enforceUserPermission('module_client');
$client_id = intval($_POST['client_id']); $client_id = intval($_POST['client_id']);
@@ -321,6 +333,8 @@ if (isset($_POST['export_vendor_contacts_csv'])) {
if (isset($_POST["import_vendor_contacts_csv"])) { if (isset($_POST["import_vendor_contacts_csv"])) {
validateCSRFToken($_POST['csrf_token']);
enforceUserPermission('module_client', 2); enforceUserPermission('module_client', 2);
$client_id = intval($_POST['client_id']); $client_id = intval($_POST['client_id']);
@@ -421,6 +435,8 @@ if (isset($_POST["import_vendor_contacts_csv"])) {
if (isset($_GET['download_vendor_contacts_csv_template'])) { if (isset($_GET['download_vendor_contacts_csv_template'])) {
validateCSRFToken($_GET['csrf_token']);
$client_id = intval($_GET['download_client_contacts_csv_template']); $client_id = intval($_GET['download_client_contacts_csv_template']);
//get records from database //get records from database

12
agent/vendors.php
View File

@@ -88,8 +88,8 @@ $num_rows = mysqli_fetch_row(mysqli_query($mysqli, "SELECT FOUND_ROWS()"));
<div class="dropdown-menu"> <div class="dropdown-menu">
<?php if ($archived) { ?> <?php if ($archived) { ?>
<button class="dropdown-item text-info" <button class="dropdown-item text-info"
type="submit" form="bulkActions" name="bulk_unarchive_vendors"> type="submit" form="bulkActions" name="bulk_restore_vendors">
<i class="fas fa-fw fa-redo mr-2"></i>Unarchive <i class="fas fa-fw fa-redo mr-2"></i>Restore
</button> </button>
<div class="dropdown-divider"></div> <div class="dropdown-divider"></div>
<button class="dropdown-item text-danger text-bold" <button class="dropdown-item text-danger text-bold"
@@ -247,18 +247,18 @@ $num_rows = mysqli_fetch_row(mysqli_query($mysqli, "SELECT FOUND_ROWS()"));
<?php if ($session_user_role == 3) { ?> <?php if ($session_user_role == 3) { ?>
<?php if ($vendor_archived_at) { ?> <?php if ($vendor_archived_at) { ?>
<div class="dropdown-divider"></div> <div class="dropdown-divider"></div>
<a class="dropdown-item text-info confirm-link" href="post.php?unarchive_vendor=<?php echo $vendor_id; ?>"> <a class="dropdown-item text-info confirm-link" href="post.php?restore_vendor=<?= $vendor_id ?>&csrf_token=<?= $_SESSION['csrf_token'] ?>">
<i class="fas fa-fw fa-redo mr-2"></i>Unarchive <i class="fas fa-fw fa-redo mr-2"></i>Restore
</a> </a>
<?php if ($config_destructive_deletes_enable) { ?> <?php if ($config_destructive_deletes_enable) { ?>
<div class="dropdown-divider"></div> <div class="dropdown-divider"></div>
<a class="dropdown-item text-danger text-bold confirm-link" href="post.php?delete_vendor=<?php echo $vendor_id; ?>"> <a class="dropdown-item text-danger text-bold confirm-link" href="post.php?delete_vendor=<?= $vendor_id ?>&csrf_token=<?= $_SESSION['csrf_token'] ?>">
<i class="fas fa-fw fa-trash mr-2"></i>Delete <i class="fas fa-fw fa-trash mr-2"></i>Delete
</a> </a>
<?php } ?> <?php } ?>
<?php } else { ?> <?php } else { ?>
<div class="dropdown-divider"></div> <div class="dropdown-divider"></div>
<a class="dropdown-item text-danger confirm-link" href="post.php?archive_vendor=<?php echo $vendor_id; ?>"> <a class="dropdown-item text-danger confirm-link" href="post.php?archive_vendor=<?= $vendor_id ?>&csrf_token=<?= $_SESSION['csrf_token'] ?>">
<i class="fas fa-fw fa-archive mr-2"></i>Archive <i class="fas fa-fw fa-archive mr-2"></i>Archive
</a> </a>
<?php } ?> <?php } ?>