AS1024/itflow
1
0
Fork 0
mirror of https://github.com/itflow-org/itflow synced 2026-03-11 08:14:52 +00:00
Code Issues Packages Projects Releases Wiki Activity

Ticket: Add missing CSRF checks

Browse Source
This commit is contained in:
johnnyq
2026-03-01 21:14:58 -05:00
parent c2cbfc5558
commit 63f6faf1e8
20 changed files with 84 additions and 5 deletions
Download Patch File Download Diff File Expand all files Collapse all files

60
agent/post/ticket.php
View File

@@ -8,6 +8,8 @@ defined('FROM_POST_HANDLER') || die("Direct file access is not allowed");
if (isset($_POST['add_ticket'])) {
validateCSRFToken($_POST['csrf_token']);
enforceUserPermission('module_support', 2);
$client_id = intval($_POST['client']);
@@ -194,6 +196,8 @@ if (isset($_POST['add_ticket'])) {
if (isset($_POST['edit_ticket'])) {
validateCSRFToken($_POST['csrf_token']);
enforceUserPermission('module_support', 2);
$ticket_id = intval($_POST['ticket_id']);
@@ -303,6 +307,8 @@ if (isset($_POST['edit_ticket'])) {
if (isset($_POST['edit_ticket_priority'])) {
validateCSRFToken($_POST['csrf_token']);
enforceUserPermission('module_support', 2);
$ticket_id = intval($_POST['ticket_id']);
@@ -340,6 +346,8 @@ if (isset($_POST['edit_ticket_priority'])) {
if (isset($_POST['edit_ticket_contact'])) {
validateCSRFToken($_POST['csrf_token']);
enforceUserPermission('module_support', 2);
$ticket_id = intval($_POST['ticket_id']);
@@ -424,6 +432,8 @@ if (isset($_POST['edit_ticket_contact'])) {
if (isset($_POST['edit_ticket_project'])) {
validateCSRFToken($_POST['csrf_token']);
enforceUserPermission('module_support', 2);
$ticket_id = intval($_POST['ticket_id']);
@@ -446,6 +456,8 @@ if (isset($_POST['edit_ticket_project'])) {
if (isset($_POST['add_ticket_watcher'])) {
validateCSRFToken($_POST['csrf_token']);
enforceUserPermission('module_support', 2);
$ticket_id = intval($_POST['ticket_id']);
@@ -524,6 +536,8 @@ if (isset($_POST['add_ticket_watcher'])) {
if (isset($_GET['delete_ticket_watcher'])) {
validateCSRFToken($_GET['csrf_token']);
enforceUserPermission('module_support', 2);
$watcher_id = intval($_GET['delete_ticket_watcher']);
@@ -558,6 +572,8 @@ if (isset($_GET['delete_ticket_watcher'])) {
if (isset($_GET['delete_ticket_additional_asset'])) {
validateCSRFToken($_GET['csrf_token']);
enforceUserPermission('module_support', 2);
$asset_id = intval($_GET['delete_ticket_additional_asset']);
@@ -592,6 +608,8 @@ if (isset($_GET['delete_ticket_additional_asset'])) {
if (isset($_POST['edit_ticket_asset'])) {
validateCSRFToken($_POST['csrf_token']);
enforceUserPermission('module_support', 2);
$ticket_id = intval($_POST['ticket_id']);
@@ -636,6 +654,8 @@ if (isset($_POST['edit_ticket_asset'])) {
if (isset($_POST['edit_ticket_vendor'])) {
validateCSRFToken($_POST['csrf_token']);
enforceUserPermission('module_support', 2);
$ticket_id = intval($_POST['ticket_id']);
@@ -667,6 +687,8 @@ if (isset($_POST['edit_ticket_vendor'])) {
if (isset($_POST['assign_ticket'])) {
validateCSRFToken($_POST['csrf_token']);
enforceUserPermission('module_support', 2);
// POST variables
@@ -861,6 +883,8 @@ if (isset($_POST['bulk_delete_tickets'])) {
if (isset($_POST['bulk_assign_ticket'])) {
validateCSRFToken($_POST['csrf_token']);
enforceUserPermission('module_support', 2);
// POST variables
@@ -961,6 +985,8 @@ if (isset($_POST['bulk_assign_ticket'])) {
if (isset($_POST['bulk_edit_ticket_priority'])) {
validateCSRFToken($_POST['csrf_token']);
enforceUserPermission('module_support', 2);
// POST variables
@@ -1005,6 +1031,8 @@ if (isset($_POST['bulk_edit_ticket_priority'])) {
if (isset($_POST['bulk_edit_ticket_category'])) {
validateCSRFToken($_POST['csrf_token']);
enforceUserPermission('module_support', 2);
// POST variables
@@ -1050,6 +1078,8 @@ if (isset($_POST['bulk_edit_ticket_category'])) {
if (isset($_POST['bulk_merge_tickets'])) {
validateCSRFToken($_POST['csrf_token']);
enforceUserPermission('module_support', 2);
$merge_into_ticket_id = intval($_POST['merge_into_ticket_id']); // Parent ticket id
@@ -1117,6 +1147,8 @@ if (isset($_POST['bulk_merge_tickets'])) {
if (isset($_POST['bulk_resolve_tickets'])) {
validateCSRFToken($_POST['csrf_token']);
enforceUserPermission('module_support', 2);
// POST variables
@@ -1254,6 +1286,8 @@ if (isset($_POST['bulk_resolve_tickets'])) {
if (isset($_POST['bulk_ticket_reply'])) {
validateCSRFToken($_POST['csrf_token']);
enforceUserPermission('module_support', 2);
// POST variables
@@ -1418,6 +1452,8 @@ if (isset($_POST['bulk_ticket_reply'])) {
// Currently not UI Frontend for this
if (isset($_POST['bulk_add_ticket_project'])) {
validateCSRFToken($_POST['csrf_token']);
enforceUserPermission('module_support', 2);
// POST variables
@@ -1579,6 +1615,8 @@ if (isset($_POST['bulk_add_asset_ticket'])) {
if (isset($_POST['add_ticket_reply'])) {
validateCSRFToken($_POST['csrf_token']);
enforceUserPermission('module_support', 2);
$ticket_id = intval($_POST['ticket_id']);
@@ -1756,6 +1794,8 @@ if (isset($_POST['add_ticket_reply'])) {
if (isset($_POST['edit_ticket_reply'])) {
validateCSRFToken($_POST['csrf_token']);
enforceUserPermission('module_support', 2);
$ticket_reply_id = intval($_POST['ticket_reply_id']);
@@ -1777,6 +1817,8 @@ if (isset($_POST['edit_ticket_reply'])) {
if (isset($_POST['redact_ticket_reply'])) {
validateCSRFToken($_POST['csrf_token']);
enforceUserPermission('module_support', 2);
$ticket_reply_id = intval($_POST['ticket_reply_id']);
@@ -1796,6 +1838,8 @@ if (isset($_POST['redact_ticket_reply'])) {
if (isset($_GET['archive_ticket_reply'])) {
validateCSRFToken($_GET['csrf_token']);
enforceUserPermission('module_support', 2);
$ticket_reply_id = intval($_GET['archive_ticket_reply']);
@@ -1812,6 +1856,8 @@ if (isset($_GET['archive_ticket_reply'])) {
if (isset($_POST['merge_ticket'])) {
validateCSRFToken($_POST['csrf_token']);
enforceUserPermission('module_support', 2);
$ticket_id = intval($_POST['ticket_id']); // Child ticket ID to be closed
@@ -1886,6 +1932,8 @@ if (isset($_POST['merge_ticket'])) {
if (isset($_POST['change_client_ticket'])) {
validateCSRFToken($_POST['csrf_token']);
enforceUserPermission('module_support', 2);
$ticket_id = intval($_POST['ticket_id']);
@@ -2110,6 +2158,8 @@ if (isset($_GET['close_ticket'])) {
if (isset($_GET['reopen_ticket'])) {
validateCSRFToken($_GET['csrf_token']);
enforceUserPermission('module_support', 2);
$ticket_id = intval($_GET['reopen_ticket']);
@@ -2128,6 +2178,8 @@ if (isset($_GET['reopen_ticket'])) {
if (isset($_POST['add_invoice_from_ticket'])) {
validateCSRFToken($_POST['csrf_token']);
enforceUserPermission('module_support', 2);
enforceUserPermission('module_sales', 2);
@@ -2245,6 +2297,8 @@ if (isset($_POST['add_invoice_from_ticket'])) {
if (isset($_POST['export_tickets_csv'])) {
validateCSRFToken($_POST['csrf_token']);
enforceUserPermission('module_support', 2);
if ($_POST['client_id']) {
@@ -2300,6 +2354,8 @@ if (isset($_POST['export_tickets_csv'])) {
if (isset($_POST['edit_ticket_billable_status'])) {
validateCSRFToken($_POST['csrf_token']);
enforceUserPermission('module_support', 2);
enforceUserPermission('module_sales', 2);
@@ -2328,6 +2384,8 @@ if (isset($_POST['edit_ticket_billable_status'])) {
if (isset($_POST['edit_ticket_schedule'])) {
validateCSRFToken($_POST['csrf_token']);
enforceUserPermission('module_support', 2);
$ticket_id = intval($_POST['ticket_id']);
@@ -2500,6 +2558,8 @@ if (isset($_POST['edit_ticket_schedule'])) {
if (isset($_GET['cancel_ticket_schedule'])) {
validateCSRFToken($_GET['csrf_token']);
enforceUserPermission('module_support', 2);
$ticket_id = intval($_GET['cancel_ticket_schedule']);