Enforce CSRF for post/asset and post/account

Tiny bit of tidying
2026-03-01 03:14:52 +00:00 · 2024-09-08 22:52:38 +01:00
parent d1410ef967
commit 64684e1248
29 changed files with 64 additions and 21 deletions
--- a/report_assets.php
+++ b/report_assets.php
@@ -223,6 +223,8 @@ $num_rows = mysqli_fetch_row(mysqli_query($mysqli, "SELECT FOUND_ROWS()"));
            </form>
            <hr>
            <form id="bulkActions" action="post.php" method="post">
+                <input type="hidden" name="csrf_token" value="<?php echo $_SESSION['csrf_token'] ?>">
+
                <div class="table-responsive">
                    <table class="table border table-hover">
                        <thead class="thead-light <?php if (!$num_rows[0]) { echo "d-none"; } ?>">
@@ -525,19 +527,19 @@ $num_rows = mysqli_fetch_row(mysqli_query($mysqli, "SELECT FOUND_ROWS()"));
                                                </a>
                                                <?php if ($session_user_role > 2) { ?>
                                                    <?php if ($asset_archived_at) { ?>
-                                                    <a class="dropdown-item text-info" href="post.php?unarchive_asset=<?php echo $asset_id; ?>">
+                                                    <a class="dropdown-item text-info" href="post.php?unarchive_asset=<?php echo $asset_id; ?>&csrf_token=<?php echo $_SESSION['csrf_token'] ?>">
                                                        <i class="fas fa-fw fa-redo mr-2"></i>Unarchive
                                                    </a>
                                                    <?php } else { ?>
                                                    <a class="dropdown-item" href="#" data-toggle="modal" data-target="#transferAssetModal<?php echo $asset_id; ?>">
                                                        <i class="fas fa-fw fa-arrow-right mr-2"></i>Transfer
                                                    </a>
-                                                    <a class="dropdown-item text-danger confirm-link" href="post.php?archive_asset=<?php echo $asset_id; ?>">
+                                                    <a class="dropdown-item text-danger confirm-link" href="post.php?archive_asset=<?php echo $asset_id; ?>&csrf_token=<?php echo $_SESSION['csrf_token'] ?>">
                                                        <i class="fas fa-fw fa-archive mr-2"></i>Archive
                                                    </a>
                                                    <?php } ?>
                                                    <?php if ($config_destructive_deletes_enable) { ?>
-                                                    <a class="dropdown-item text-danger text-bold confirm-link" href="post.php?delete_asset=<?php echo $asset_id; ?>">
+                                                    <a class="dropdown-item text-danger text-bold confirm-link" href="post.php?delete_asset=<?php echo $asset_id; ?>&csrf_token=<?php echo $_SESSION['csrf_token'] ?>">
                                                        <i class="fas fa-fw fa-archive mr-2"></i>Delete
                                                    </a>
                                                    <?php } ?>