AS1024/itflow
1
0
Fork 0
mirror of https://github.com/itflow-org/itflow synced 2026-03-01 03:14:52 +00:00
Code Issues Packages Projects Releases Wiki Activity

Enforce CSRF for post/asset and post/account

Browse Source 
Tiny bit of tidying
This commit is contained in:
wrongecho
2024-09-08 22:52:38 +01:00
parent d1410ef967
commit 64684e1248
29 changed files with 64 additions and 21 deletions
Download Patch File Download Diff File Expand all files Collapse all files

4
post/account.php
View File

@@ -5,6 +5,7 @@
*/
if (isset($_POST['add_account'])) {
validateCSRFToken($_POST['csrf_token']);
$name = sanitizeInput($_POST['name']);
$opening_balance = floatval($_POST['opening_balance']);
@@ -24,6 +25,7 @@ if (isset($_POST['add_account'])) {
}
if (isset($_POST['edit_account'])) {
validateCSRFToken($_POST['csrf_token']);
$account_id = intval($_POST['account_id']);
$name = sanitizeInput($_POST['name']);
@@ -42,6 +44,7 @@ if (isset($_POST['edit_account'])) {
}
if (isset($_GET['archive_account'])) {
validateCSRFToken($_GET['csrf_token']);
$account_id = intval($_GET['archive_account']);
mysqli_query($mysqli,"UPDATE accounts SET account_archived_at = NOW() WHERE account_id = $account_id");
@@ -55,6 +58,7 @@ if (isset($_GET['archive_account'])) {
}
// Not used anywhere?
if (isset($_GET['delete_account'])) {
$account_id = intval($_GET['delete_account']);

20
post/asset.php
View File

@@ -6,6 +6,7 @@
if (isset($_POST['add_asset'])) {
validateCSRFToken($_POST['csrf_token']);
validateTechRole();
$client_id = intval($_POST['client_id']);
@@ -105,6 +106,7 @@ if (isset($_POST['add_asset'])) {
if (isset($_POST['edit_asset'])) {
validateCSRFToken($_POST['csrf_token']);
validateTechRole();
$asset_id = intval($_POST['asset_id']);
@@ -197,6 +199,7 @@ if (isset($_POST['edit_asset'])) {
if (isset($_POST['change_client_asset'])) {
validateCSRFToken($_POST['csrf_token']);
validateTechRole();
$current_asset_id = intval($_POST['current_asset_id']);
@@ -244,6 +247,7 @@ if (isset($_POST['change_client_asset'])) {
if (isset($_GET['archive_asset'])) {
validateCSRFToken($_GET['csrf_token']);
validateTechRole();
$asset_id = intval($_GET['archive_asset']);
@@ -268,6 +272,7 @@ if (isset($_GET['archive_asset'])) {
if (isset($_GET['unarchive_asset'])) {
validateCSRFToken($_GET['csrf_token']);
validateTechRole();
$asset_id = intval($_GET['unarchive_asset']);
@@ -291,6 +296,7 @@ if (isset($_GET['unarchive_asset'])) {
if (isset($_GET['delete_asset'])) {
validateCSRFToken($_GET['csrf_token']);
validateAdminRole();
$asset_id = intval($_GET['delete_asset']);
@@ -318,6 +324,7 @@ if (isset($_GET['delete_asset'])) {
if (isset($_POST['bulk_assign_asset_location'])) {
validateCSRFToken($_POST['csrf_token']);
validateTechRole();
$location_id = intval($_POST['bulk_location_id']);
@@ -357,6 +364,7 @@ if (isset($_POST['bulk_assign_asset_location'])) {
if (isset($_POST['bulk_assign_asset_contact'])) {
validateCSRFToken($_POST['csrf_token']);
validateTechRole();
$contact_id = intval($_POST['bulk_contact_id']);
@@ -396,6 +404,7 @@ if (isset($_POST['bulk_assign_asset_contact'])) {
if (isset($_POST['bulk_edit_asset_status'])) {
validateCSRFToken($_POST['csrf_token']);
validateTechRole();
$status = sanitizeInput($_POST['bulk_status']);
@@ -429,8 +438,9 @@ if (isset($_POST['bulk_edit_asset_status'])) {
}
if (isset($_POST['bulk_archive_assets'])) {
validateCSRFToken($_POST['csrf_token']);
validateAdminRole();
//validateCSRFToken($_POST['csrf_token']);
$count = 0; // Default 0
$asset_ids = $_POST['asset_ids']; // Get array of asset IDs to be deleted
@@ -469,8 +479,9 @@ if (isset($_POST['bulk_archive_assets'])) {
}
if (isset($_POST['bulk_unarchive_assets'])) {
validateCSRFToken($_POST['csrf_token']);
validateAdminRole();
//validateCSRFToken($_POST['csrf_token']);
$count = 0; // Default 0
$asset_ids = $_POST['asset_ids']; // Get array of asset IDs to be deleted
@@ -509,6 +520,7 @@ if (isset($_POST['bulk_unarchive_assets'])) {
if (isset($_POST["import_client_assets_csv"])) {
validateCSRFToken($_POST['csrf_token']);
validateTechRole();
$client_id = intval($_POST['client_id']);
@@ -655,6 +667,7 @@ if (isset($_GET['download_client_assets_csv_template'])) {
if (isset($_POST['export_client_assets_csv'])) {
validateCSRFToken($_POST['csrf_token']);
validateTechRole();
$client_id = intval($_POST['client_id']);
@@ -704,6 +717,7 @@ if (isset($_POST['export_client_assets_csv'])) {
if (isset($_POST['add_asset_interface'])) {
validateCSRFToken($_POST['csrf_token']);
validateTechRole();
$asset_id = intval($_POST['asset_id']);
@@ -740,6 +754,7 @@ if (isset($_POST['add_asset_interface'])) {
if (isset($_POST['edit_asset_interface'])) {
validateCSRFToken($_POST['csrf_token']);
validateTechRole();
$interface_id = intval($_POST['interface_id']);
@@ -775,6 +790,7 @@ if (isset($_POST['edit_asset_interface'])) {
if (isset($_GET['delete_asset_interface'])) {
validateCSRFToken($_GET['csrf_token']);
validateAdminRole();
$interface_id = intval($_GET['delete_asset_interface']);

2
post/custom_field.php
View File

@@ -8,7 +8,6 @@ if(isset($_POST['create_custom_field'])){
require_once 'post/custom_field_model.php';
$table = sanitizeInput($_POST['table']);
mysqli_query($mysqli,"INSERT INTO custom_fields SET custom_field_table = '$table', custom_field_label = '$label', custom_field_type = '$type'");
@@ -26,7 +25,6 @@ if(isset($_POST['edit_custom_field'])){
require_once 'post/custom_field_model.php';
$custom_field_id = intval($_POST['custom_field_id']);
mysqli_query($mysqli,"UPDATE custom_fields SET custom_field_label = '$label', custom_field_type = '$type' WHERE custom_field_id = $custom_field_id");