AS1024/itflow
1
0
Fork 0
mirror of https://github.com/itflow-org/itflow synced 2026-03-11 08:14:52 +00:00
Code Issues Packages Projects Releases Wiki Activity

Ticket: Add missing CSRF checks

Browse Source
This commit is contained in:
johnnyq
2026-03-01 21:14:58 -05:00
parent c2cbfc5558
commit 63f6faf1e8
20 changed files with 84 additions and 5 deletions
Download Patch File Download Diff File Expand all files Collapse all files

1
agent/modals/ticket/ticket_add.php
View File

@@ -17,6 +17,7 @@ ob_start();
</button>
</div>
<form action="post.php" method="post" autocomplete="off">
<input type="hidden" name="csrf_token" value="<?= $_SESSION['csrf_token'] ?>">
<?php if (isset($_GET['project_id'])) { ?>
<input type="hidden" name="project" value="<?php echo intval($_GET['project_id']); ?>">

1
agent/modals/ticket/ticket_add_v2.php
View File

@@ -16,6 +16,7 @@ ob_start();
</button>
</div>
<form action="post.php" method="post" autocomplete="off">
<input type="hidden" name="csrf_token" value="<?= $_SESSION['csrf_token'] ?>">
<!-- Hidden/System fields -->
<?php if ($client_id) { ?>
<input type="hidden" name="client" value="<?php echo $client_id; ?>">

1
agent/modals/ticket/ticket_add_watcher.php
View File

@@ -15,6 +15,7 @@ ob_start();
</button>
</div>
<form action="post.php" method="post" autocomplete="off">
<input type="hidden" name="csrf_token" value="<?= $_SESSION['csrf_token'] ?>">
<input type="hidden" name="ticket_id" value="<?php echo $ticket_id; ?>">
<div class="modal-body">

1
agent/modals/ticket/ticket_assign.php
View File

@@ -31,6 +31,7 @@ ob_start();
</div>
<form action="post.php" method="post" autocomplete="off">
<input type="hidden" name="csrf_token" value="<?= $_SESSION['csrf_token'] ?>">
<input type="hidden" name="ticket_id" value="<?php echo $ticket_id; ?>">
<input type="hidden" name="ticket_status" value="<?php echo $ticket_status; ?>">
<div class="modal-body">

1
agent/modals/ticket/ticket_billable.php
View File

@@ -26,6 +26,7 @@ ob_start();
</div>
<form action="post.php" method="post" autocomplete="off">
<div class="modal-body">
<input type="hidden" name="csrf_token" value="<?= $_SESSION['csrf_token'] ?>">
<input type="hidden" name="ticket_id" value="<?php echo $ticket_id; ?>">
<div class="form-group">
<label>Billable?</label>

1
agent/modals/ticket/ticket_change_client.php
View File

@@ -24,6 +24,7 @@ ob_start();
</div>
<form action="post.php" method="post" autocomplete="off">
<input type="hidden" name="csrf_token" value="<?= $_SESSION['csrf_token'] ?>">
<input type="hidden" name="ticket_id" value="<?php echo $ticket_id; ?>">
<div class="modal-body">

1
agent/modals/ticket/ticket_contact.php
View File

@@ -29,6 +29,7 @@ ob_start();
</button>
</div>
<form action="post.php" method="post" autocomplete="off">
<input type="hidden" name="csrf_token" value="<?= $_SESSION['csrf_token'] ?>">
<input type="hidden" name="ticket_id" value="<?php echo $ticket_id; ?>">
<div class="modal-body">

1
agent/modals/ticket/ticket_edit.php
View File

@@ -50,6 +50,7 @@ ob_start();
</button>
</div>
<form action="post.php" method="post" autocomplete="off">
<input type="hidden" name="csrf_token" value="<?= $_SESSION['csrf_token'] ?>">
<input type="hidden" name="ticket_id" value="<?= $ticket_id ?>">
<div class="modal-body">

1
agent/modals/ticket/ticket_edit_asset.php
View File

@@ -32,6 +32,7 @@ ob_start();
</button>
</div>
<form action="post.php" method="post" autocomplete="off">
<input type="hidden" name="csrf_token" value="<?= $_SESSION['csrf_token'] ?>">
<input type="hidden" name="ticket_id" value="<?php echo $ticket_id; ?>">
<div class="modal-body">

1
agent/modals/ticket/ticket_edit_project.php
View File

@@ -28,6 +28,7 @@ ob_start();
</button>
</div>
<form action="post.php" method="post" autocomplete="off">
<input type="hidden" name="csrf_token" value="<?= $_SESSION['csrf_token'] ?>">
<input type="hidden" name="ticket_id" value="<?php echo $ticket_id; ?>">
<div class="modal-body">

3
agent/modals/ticket/ticket_edit_schedule.php
View File

@@ -32,6 +32,7 @@ ob_start();
</div>
<form action="post.php" method="post" autocomplete="off">
<div class="modal-body">
<input type="hidden" name="csrf_token" value="<?= $_SESSION['csrf_token'] ?>">
<input type="hidden" name="ticket_id" value="<?php echo $ticket_id; ?>">
<div class="form-group">
@@ -60,7 +61,7 @@ ob_start();
<div class="modal-footer">
<?php if ($ticket_scheduled_for) { ?>
<a href="post.php?cancel_ticket_schedule=<?php echo htmlspecialchars($ticket_id); ?>" class="btn btn-danger text-bold">
<a href="post.php?cancel_ticket_schedule=<?= $ticket_id ?>&csrf_token=<?= $_SESSION['csrf_token'] ?>" class="btn btn-danger text-bold">
<i class="fa fa-trash mr-2"></i>Cancel Scheduled Time
</a>
<?php } ?>

1
agent/modals/ticket/ticket_edit_vendor.php
View File

@@ -23,6 +23,7 @@ ob_start();
</button>
</div>
<form action="post.php" method="post" autocomplete="off">
<input type="hidden" name="csrf_token" value="<?= $_SESSION['csrf_token'] ?>">
<input type="hidden" name="ticket_id" value="<?= $ticket_id ?>">
<div class="modal-body">

1
agent/modals/ticket/ticket_export.php
View File

@@ -15,6 +15,7 @@ ob_start();
</button>
</div>
<form action="post.php" method="post" autocomplete="off">
<input type="hidden" name="csrf_token" value="<?= $_SESSION['csrf_token'] ?>">
<input type="hidden" name="client_id" value="<?= $client_id ?>">
<div class="modal-body">

1
agent/modals/ticket/ticket_invoice_add.php
View File

@@ -88,6 +88,7 @@ ob_start();
</button>
</div>
<form action="post.php" method="post" autocomplete="off">
<input type="hidden" name="csrf_token" value="<?= $_SESSION['csrf_token'] ?>">
<input type="hidden" name="ticket_id" value="<?php echo $ticket_id; ?>">
<div class="modal-body">
<?php if (mysqli_num_rows($sql_invoices) > 0) { ?>

1
agent/modals/ticket/ticket_merge.php
View File

@@ -34,6 +34,7 @@ ob_start();
</button>
</div>
<form action="post.php" method="post" autocomplete="off">
<input type="hidden" name="csrf_token" value="<?= $_SESSION['csrf_token'] ?>">
<input type="hidden" id="current_ticket_id" name="ticket_id" value="<?= $ticket_id ?>">
<div class="modal-body">

1
agent/modals/ticket/ticket_priority.php
View File

@@ -29,6 +29,7 @@ ob_start();
</button>
</div>
<form action="post.php" method="post" autocomplete="off">
<input type="hidden" name="csrf_token" value="<?= $_SESSION['csrf_token'] ?>">
<input type="hidden" name="ticket_id" value="<?php echo $ticket_id; ?>">
<input type="hidden" name="client_id" value="<?php echo $client_id; ?>">

1
agent/modals/ticket/ticket_reply_edit.php
View File

@@ -29,6 +29,7 @@ ob_start();
</button>
</div>
<form action="post.php" method="post" autocomplete="off">
<input type="hidden" name="csrf_token" value="<?= $_SESSION['csrf_token'] ?>">
<input type="hidden" name="ticket_reply_id" value="<?php echo $ticket_reply_id; ?>">
<input type="hidden" name="client_id" value="<?php echo $client_id; ?>">

1
agent/modals/ticket/ticket_reply_redact.php
View File

@@ -26,6 +26,7 @@ ob_start();
</button>
</div>
<form action="post.php" method="post" autocomplete="off">
<input type="hidden" name="csrf_token" value="<?= $_SESSION['csrf_token'] ?>">
<input type="hidden" name="ticket_reply_id" value="<?php echo $ticket_reply_id; ?>">
<input type="hidden" name="client_id" value="<?php echo $client_id; ?>">

60
agent/post/ticket.php
View File

@@ -8,6 +8,8 @@ defined('FROM_POST_HANDLER') || die("Direct file access is not allowed");
if (isset($_POST['add_ticket'])) {
validateCSRFToken($_POST['csrf_token']);
enforceUserPermission('module_support', 2);
$client_id = intval($_POST['client']);
@@ -194,6 +196,8 @@ if (isset($_POST['add_ticket'])) {
if (isset($_POST['edit_ticket'])) {
validateCSRFToken($_POST['csrf_token']);
enforceUserPermission('module_support', 2);
$ticket_id = intval($_POST['ticket_id']);
@@ -303,6 +307,8 @@ if (isset($_POST['edit_ticket'])) {
if (isset($_POST['edit_ticket_priority'])) {
validateCSRFToken($_POST['csrf_token']);
enforceUserPermission('module_support', 2);
$ticket_id = intval($_POST['ticket_id']);
@@ -340,6 +346,8 @@ if (isset($_POST['edit_ticket_priority'])) {
if (isset($_POST['edit_ticket_contact'])) {
validateCSRFToken($_POST['csrf_token']);
enforceUserPermission('module_support', 2);
$ticket_id = intval($_POST['ticket_id']);
@@ -424,6 +432,8 @@ if (isset($_POST['edit_ticket_contact'])) {
if (isset($_POST['edit_ticket_project'])) {
validateCSRFToken($_POST['csrf_token']);
enforceUserPermission('module_support', 2);
$ticket_id = intval($_POST['ticket_id']);
@@ -446,6 +456,8 @@ if (isset($_POST['edit_ticket_project'])) {
if (isset($_POST['add_ticket_watcher'])) {
validateCSRFToken($_POST['csrf_token']);
enforceUserPermission('module_support', 2);
$ticket_id = intval($_POST['ticket_id']);
@@ -524,6 +536,8 @@ if (isset($_POST['add_ticket_watcher'])) {
if (isset($_GET['delete_ticket_watcher'])) {
validateCSRFToken($_GET['csrf_token']);
enforceUserPermission('module_support', 2);
$watcher_id = intval($_GET['delete_ticket_watcher']);
@@ -558,6 +572,8 @@ if (isset($_GET['delete_ticket_watcher'])) {
if (isset($_GET['delete_ticket_additional_asset'])) {
validateCSRFToken($_GET['csrf_token']);
enforceUserPermission('module_support', 2);
$asset_id = intval($_GET['delete_ticket_additional_asset']);
@@ -592,6 +608,8 @@ if (isset($_GET['delete_ticket_additional_asset'])) {
if (isset($_POST['edit_ticket_asset'])) {
validateCSRFToken($_POST['csrf_token']);
enforceUserPermission('module_support', 2);
$ticket_id = intval($_POST['ticket_id']);
@@ -636,6 +654,8 @@ if (isset($_POST['edit_ticket_asset'])) {
if (isset($_POST['edit_ticket_vendor'])) {
validateCSRFToken($_POST['csrf_token']);
enforceUserPermission('module_support', 2);
$ticket_id = intval($_POST['ticket_id']);
@@ -667,6 +687,8 @@ if (isset($_POST['edit_ticket_vendor'])) {
if (isset($_POST['assign_ticket'])) {
validateCSRFToken($_POST['csrf_token']);
enforceUserPermission('module_support', 2);
// POST variables
@@ -861,6 +883,8 @@ if (isset($_POST['bulk_delete_tickets'])) {
if (isset($_POST['bulk_assign_ticket'])) {
validateCSRFToken($_POST['csrf_token']);
enforceUserPermission('module_support', 2);
// POST variables
@@ -961,6 +985,8 @@ if (isset($_POST['bulk_assign_ticket'])) {
if (isset($_POST['bulk_edit_ticket_priority'])) {
validateCSRFToken($_POST['csrf_token']);
enforceUserPermission('module_support', 2);
// POST variables
@@ -1005,6 +1031,8 @@ if (isset($_POST['bulk_edit_ticket_priority'])) {
if (isset($_POST['bulk_edit_ticket_category'])) {
validateCSRFToken($_POST['csrf_token']);
enforceUserPermission('module_support', 2);
// POST variables
@@ -1050,6 +1078,8 @@ if (isset($_POST['bulk_edit_ticket_category'])) {
if (isset($_POST['bulk_merge_tickets'])) {
validateCSRFToken($_POST['csrf_token']);
enforceUserPermission('module_support', 2);
$merge_into_ticket_id = intval($_POST['merge_into_ticket_id']); // Parent ticket id
@@ -1117,6 +1147,8 @@ if (isset($_POST['bulk_merge_tickets'])) {
if (isset($_POST['bulk_resolve_tickets'])) {
validateCSRFToken($_POST['csrf_token']);
enforceUserPermission('module_support', 2);
// POST variables
@@ -1254,6 +1286,8 @@ if (isset($_POST['bulk_resolve_tickets'])) {
if (isset($_POST['bulk_ticket_reply'])) {
validateCSRFToken($_POST['csrf_token']);
enforceUserPermission('module_support', 2);
// POST variables
@@ -1418,6 +1452,8 @@ if (isset($_POST['bulk_ticket_reply'])) {
// Currently not UI Frontend for this
if (isset($_POST['bulk_add_ticket_project'])) {
validateCSRFToken($_POST['csrf_token']);
enforceUserPermission('module_support', 2);
// POST variables
@@ -1579,6 +1615,8 @@ if (isset($_POST['bulk_add_asset_ticket'])) {
if (isset($_POST['add_ticket_reply'])) {
validateCSRFToken($_POST['csrf_token']);
enforceUserPermission('module_support', 2);
$ticket_id = intval($_POST['ticket_id']);
@@ -1756,6 +1794,8 @@ if (isset($_POST['add_ticket_reply'])) {
if (isset($_POST['edit_ticket_reply'])) {
validateCSRFToken($_POST['csrf_token']);
enforceUserPermission('module_support', 2);
$ticket_reply_id = intval($_POST['ticket_reply_id']);
@@ -1777,6 +1817,8 @@ if (isset($_POST['edit_ticket_reply'])) {
if (isset($_POST['redact_ticket_reply'])) {
validateCSRFToken($_POST['csrf_token']);
enforceUserPermission('module_support', 2);
$ticket_reply_id = intval($_POST['ticket_reply_id']);
@@ -1796,6 +1838,8 @@ if (isset($_POST['redact_ticket_reply'])) {
if (isset($_GET['archive_ticket_reply'])) {
validateCSRFToken($_GET['csrf_token']);
enforceUserPermission('module_support', 2);
$ticket_reply_id = intval($_GET['archive_ticket_reply']);
@@ -1812,6 +1856,8 @@ if (isset($_GET['archive_ticket_reply'])) {
if (isset($_POST['merge_ticket'])) {
validateCSRFToken($_POST['csrf_token']);
enforceUserPermission('module_support', 2);
$ticket_id = intval($_POST['ticket_id']); // Child ticket ID to be closed
@@ -1886,6 +1932,8 @@ if (isset($_POST['merge_ticket'])) {
if (isset($_POST['change_client_ticket'])) {
validateCSRFToken($_POST['csrf_token']);
enforceUserPermission('module_support', 2);
$ticket_id = intval($_POST['ticket_id']);
@@ -2110,6 +2158,8 @@ if (isset($_GET['close_ticket'])) {
if (isset($_GET['reopen_ticket'])) {
validateCSRFToken($_GET['csrf_token']);
enforceUserPermission('module_support', 2);
$ticket_id = intval($_GET['reopen_ticket']);
@@ -2128,6 +2178,8 @@ if (isset($_GET['reopen_ticket'])) {
if (isset($_POST['add_invoice_from_ticket'])) {
validateCSRFToken($_POST['csrf_token']);
enforceUserPermission('module_support', 2);
enforceUserPermission('module_sales', 2);
@@ -2245,6 +2297,8 @@ if (isset($_POST['add_invoice_from_ticket'])) {
if (isset($_POST['export_tickets_csv'])) {
validateCSRFToken($_POST['csrf_token']);
enforceUserPermission('module_support', 2);
if ($_POST['client_id']) {
@@ -2300,6 +2354,8 @@ if (isset($_POST['export_tickets_csv'])) {
if (isset($_POST['edit_ticket_billable_status'])) {
validateCSRFToken($_POST['csrf_token']);
enforceUserPermission('module_support', 2);
enforceUserPermission('module_sales', 2);
@@ -2328,6 +2384,8 @@ if (isset($_POST['edit_ticket_billable_status'])) {
if (isset($_POST['edit_ticket_schedule'])) {
validateCSRFToken($_POST['csrf_token']);
enforceUserPermission('module_support', 2);
$ticket_id = intval($_POST['ticket_id']);
@@ -2500,6 +2558,8 @@ if (isset($_POST['edit_ticket_schedule'])) {
if (isset($_GET['cancel_ticket_schedule'])) {
validateCSRFToken($_GET['csrf_token']);
enforceUserPermission('module_support', 2);
$ticket_id = intval($_GET['cancel_ticket_schedule']);

9
agent/ticket.php
View File

@@ -377,7 +377,7 @@ if (isset($_GET['ticket_id'])) {
if (empty($ticket_closed_at)) { ?>
<?php if (empty($ticket_closed_at) && !empty($ticket_resolved_at)) { ?>
<a href="post.php?reopen_ticket=<?php echo $ticket_id; ?>" class="btn btn-light btn-sm ml-3">
<a href="post.php?reopen_ticket=<?= $ticket_id ?>&csrf_token=<?= $_SESSION['csrf_token'] ?>" class="btn btn-light btn-sm ml-3">
<i class="fas fa-fw fa-redo mr-2"></i>Reopen
</a>
<?php } ?>
@@ -568,6 +568,7 @@ if (isset($_GET['ticket_id'])) {
<?php if (lookupUserPermission("module_support") >= 2 && empty($ticket_resolved_at) && empty($ticket_closed_at)) { ?>
<form action="post.php" method="post" autocomplete="off">
<input type="hidden" name="csrf_token" value="<?= $_SESSION['csrf_token'] ?>">
<input type="hidden" name="ticket_id" id="ticket_id" value="<?php echo $ticket_id; ?>">
<input type="hidden" name="client_id" id="client_id" value="<?php echo $client_id; ?>">
@@ -752,7 +753,7 @@ if (isset($_GET['ticket_id'])) {
<i class="fas fa-fw fa-edit text-secondary mr-2"></i>Edit
</a>
<div class="dropdown-divider"></div>
<a class="dropdown-item text-danger confirm-link" href="post.php?archive_ticket_reply=<?php echo $ticket_reply_id; ?>">
<a class="dropdown-item text-danger confirm-link" href="post.php?archive_ticket_reply=<?= $ticket_reply_id ?>&csrf_token=<?= $_SESSION['csrf_token'] ?>">
<i class="fas fa-fw fa-archive mr-2"></i>Archive
</a>
<?php } ?>
@@ -1152,7 +1153,7 @@ if (isset($_GET['ticket_id'])) {
<div class='mt-1'>
<i class="fa fa-fw fa-envelope text-secondary mr-2"></i><?php echo $ticket_watcher_email; ?>
<?php if (empty($ticket_closed_at)) { ?>
<a class="confirm-link float-right" href="post.php?delete_ticket_watcher=<?php echo $watcher_id; ?>">
<a class="confirm-link float-right" href="post.php?delete_ticket_watcher=<?= $watcher_id ?>&csrf_token=<?= $_SESSION['csrf_token'] ?>">
<i class="fas fa-fw fa-times text-secondary"></i>
</a>
<?php } ?>
@@ -1197,7 +1198,7 @@ if (isset($_GET['ticket_id'])) {
<i class="fa fa-fw fa-<?php echo $additional_asset_icon; ?> text-secondary mr-2"></i><?php echo $additional_asset_name; ?>
</a>
<?php if (empty($ticket_closed_at)) { ?>
<a class="confirm-link float-right" href="post.php?delete_ticket_additional_asset=<?php echo $additional_asset_id; ?>&ticket_id=<?php echo $ticket_id; ?>" title="Remove asset from ticket">
<a class="confirm-link float-right" href="post.php?delete_ticket_additional_asset=<?= $additional_asset_id; ?>&ticket_id=<?= $ticket_id ?>&csrf_token=<?= $_SESSION['csrf_token'] ?>" title="Remove asset from ticket">
<i class="fas fa-fw fa-times text-secondary"></i>
</a>
<?php } ?>