Ticket: Add missing CSRF checks

2026-03-11 08:14:52 +00:00 · 2026-03-01 21:14:58 -05:00
parent c2cbfc5558
commit 63f6faf1e8
20 changed files with 84 additions and 5 deletions
--- a/agent/modals/ticket/ticket_add.php
+++ b/agent/modals/ticket/ticket_add.php
@@ -17,6 +17,7 @@ ob_start();
    </button>
 </div>
 <form action="post.php" method="post" autocomplete="off">
+    <input type="hidden" name="csrf_token" value="<?= $_SESSION['csrf_token'] ?>">

    <?php if (isset($_GET['project_id'])) { ?>
    <input type="hidden" name="project" value="<?php echo intval($_GET['project_id']); ?>">
--- a/agent/modals/ticket/ticket_add_v2.php
+++ b/agent/modals/ticket/ticket_add_v2.php
@@ -16,6 +16,7 @@ ob_start();
    </button>
 </div>
 <form action="post.php" method="post" autocomplete="off">
+    <input type="hidden" name="csrf_token" value="<?= $_SESSION['csrf_token'] ?>">
    <!-- Hidden/System fields -->
    <?php if ($client_id) { ?>
        <input type="hidden" name="client" value="<?php echo $client_id; ?>">
--- a/agent/modals/ticket/ticket_add_watcher.php
+++ b/agent/modals/ticket/ticket_add_watcher.php
@@ -15,6 +15,7 @@ ob_start();
    </button>
 </div>
 <form action="post.php" method="post" autocomplete="off">
+    <input type="hidden" name="csrf_token" value="<?= $_SESSION['csrf_token'] ?>">
    <input type="hidden" name="ticket_id" value="<?php echo $ticket_id; ?>">
    <div class="modal-body">

--- a/agent/modals/ticket/ticket_assign.php
+++ b/agent/modals/ticket/ticket_assign.php
@@ -31,6 +31,7 @@ ob_start();
 </div>

 <form action="post.php" method="post" autocomplete="off">
+    <input type="hidden" name="csrf_token" value="<?= $_SESSION['csrf_token'] ?>">
    <input type="hidden" name="ticket_id" value="<?php echo $ticket_id; ?>">
    <input type="hidden" name="ticket_status" value="<?php echo $ticket_status; ?>">
    <div class="modal-body">
--- a/agent/modals/ticket/ticket_billable.php
+++ b/agent/modals/ticket/ticket_billable.php
@@ -26,6 +26,7 @@ ob_start();
 </div>
 <form action="post.php" method="post" autocomplete="off">
    <div class="modal-body">
+        <input type="hidden" name="csrf_token" value="<?= $_SESSION['csrf_token'] ?>">
        <input type="hidden" name="ticket_id" value="<?php echo $ticket_id; ?>">
        <div class="form-group">
            <label>Billable?</label>
--- a/agent/modals/ticket/ticket_change_client.php
+++ b/agent/modals/ticket/ticket_change_client.php
@@ -24,6 +24,7 @@ ob_start();
 </div>

 <form action="post.php" method="post" autocomplete="off">
+    <input type="hidden" name="csrf_token" value="<?= $_SESSION['csrf_token'] ?>">
    <input type="hidden" name="ticket_id" value="<?php echo $ticket_id; ?>">

    <div class="modal-body">
--- a/agent/modals/ticket/ticket_contact.php
+++ b/agent/modals/ticket/ticket_contact.php
@@ -29,6 +29,7 @@ ob_start();
    </button>
 </div>
 <form action="post.php" method="post" autocomplete="off">
+    <input type="hidden" name="csrf_token" value="<?= $_SESSION['csrf_token'] ?>">
    <input type="hidden" name="ticket_id" value="<?php echo $ticket_id; ?>">
    <div class="modal-body">

--- a/agent/modals/ticket/ticket_edit.php
+++ b/agent/modals/ticket/ticket_edit.php
@@ -50,6 +50,7 @@ ob_start();
    </button>
 </div>
 <form action="post.php" method="post" autocomplete="off">
+    <input type="hidden" name="csrf_token" value="<?= $_SESSION['csrf_token'] ?>">
    <input type="hidden" name="ticket_id" value="<?= $ticket_id ?>">

    <div class="modal-body">
--- a/agent/modals/ticket/ticket_edit_asset.php
+++ b/agent/modals/ticket/ticket_edit_asset.php
@@ -32,6 +32,7 @@ ob_start();
    </button>
 </div>
 <form action="post.php" method="post" autocomplete="off">
+    <input type="hidden" name="csrf_token" value="<?= $_SESSION['csrf_token'] ?>">
    <input type="hidden" name="ticket_id" value="<?php echo $ticket_id; ?>">
    <div class="modal-body">

--- a/agent/modals/ticket/ticket_edit_project.php
+++ b/agent/modals/ticket/ticket_edit_project.php
@@ -28,6 +28,7 @@ ob_start();
    </button>
 </div>
 <form action="post.php" method="post" autocomplete="off">
+    <input type="hidden" name="csrf_token" value="<?= $_SESSION['csrf_token'] ?>">
    <input type="hidden" name="ticket_id" value="<?php echo $ticket_id; ?>">
    <div class="modal-body">

--- a/agent/modals/ticket/ticket_edit_schedule.php
+++ b/agent/modals/ticket/ticket_edit_schedule.php
@@ -32,6 +32,7 @@ ob_start();
 </div>
 <form action="post.php" method="post" autocomplete="off">
    <div class="modal-body">
+        <input type="hidden" name="csrf_token" value="<?= $_SESSION['csrf_token'] ?>">
        <input type="hidden" name="ticket_id" value="<?php echo $ticket_id; ?>">

        <div class="form-group">
@@ -60,7 +61,7 @@ ob_start();

    <div class="modal-footer">
    <?php if ($ticket_scheduled_for) { ?>
-        <a href="post.php?cancel_ticket_schedule=<?php echo htmlspecialchars($ticket_id); ?>" class="btn btn-danger text-bold">
+        <a href="post.php?cancel_ticket_schedule=<?= $ticket_id ?>&csrf_token=<?= $_SESSION['csrf_token'] ?>" class="btn btn-danger text-bold">
            <i class="fa fa-trash mr-2"></i>Cancel Scheduled Time
        </a>
    <?php } ?>
--- a/agent/modals/ticket/ticket_edit_vendor.php
+++ b/agent/modals/ticket/ticket_edit_vendor.php
@@ -23,6 +23,7 @@ ob_start();
    </button>
 </div>
 <form action="post.php" method="post" autocomplete="off">
+    <input type="hidden" name="csrf_token" value="<?= $_SESSION['csrf_token'] ?>">
    <input type="hidden" name="ticket_id" value="<?= $ticket_id ?>">
    <div class="modal-body">

--- a/agent/modals/ticket/ticket_export.php
+++ b/agent/modals/ticket/ticket_export.php
@@ -15,6 +15,7 @@ ob_start();
    </button>
 </div>
 <form action="post.php" method="post" autocomplete="off">
+    <input type="hidden" name="csrf_token" value="<?= $_SESSION['csrf_token'] ?>">
    <input type="hidden" name="client_id" value="<?= $client_id ?>">
    <div class="modal-body">

--- a/agent/modals/ticket/ticket_invoice_add.php
+++ b/agent/modals/ticket/ticket_invoice_add.php
@@ -88,6 +88,7 @@ ob_start();
    </button>
 </div>
 <form action="post.php" method="post" autocomplete="off">
+    <input type="hidden" name="csrf_token" value="<?= $_SESSION['csrf_token'] ?>">
    <input type="hidden" name="ticket_id" value="<?php echo $ticket_id; ?>">
    <div class="modal-body">
        <?php if (mysqli_num_rows($sql_invoices) > 0) { ?>
--- a/agent/modals/ticket/ticket_merge.php
+++ b/agent/modals/ticket/ticket_merge.php
@@ -34,6 +34,7 @@ ob_start();
    </button>
 </div>
 <form action="post.php" method="post" autocomplete="off">
+    <input type="hidden" name="csrf_token" value="<?= $_SESSION['csrf_token'] ?>">
    <input type="hidden" id="current_ticket_id" name="ticket_id" value="<?= $ticket_id ?>">
    <div class="modal-body">

--- a/agent/modals/ticket/ticket_priority.php
+++ b/agent/modals/ticket/ticket_priority.php
@@ -29,6 +29,7 @@ ob_start();
    </button>
 </div>
 <form action="post.php" method="post" autocomplete="off">
+    <input type="hidden" name="csrf_token" value="<?= $_SESSION['csrf_token'] ?>">
    <input type="hidden" name="ticket_id" value="<?php echo $ticket_id; ?>">
    <input type="hidden" name="client_id" value="<?php echo $client_id; ?>">

--- a/agent/modals/ticket/ticket_reply_edit.php
+++ b/agent/modals/ticket/ticket_reply_edit.php
@@ -29,6 +29,7 @@ ob_start();
    </button>
 </div>
 <form action="post.php" method="post" autocomplete="off">
+    <input type="hidden" name="csrf_token" value="<?= $_SESSION['csrf_token'] ?>">
    <input type="hidden" name="ticket_reply_id" value="<?php echo $ticket_reply_id; ?>">
    <input type="hidden" name="client_id" value="<?php echo $client_id; ?>">

--- a/agent/modals/ticket/ticket_reply_redact.php
+++ b/agent/modals/ticket/ticket_reply_redact.php
@@ -26,6 +26,7 @@ ob_start();
    </button>
 </div>
 <form action="post.php" method="post" autocomplete="off">
+    <input type="hidden" name="csrf_token" value="<?= $_SESSION['csrf_token'] ?>">
    <input type="hidden" name="ticket_reply_id" value="<?php echo $ticket_reply_id; ?>">
    <input type="hidden" name="client_id" value="<?php echo $client_id; ?>">