From 6bbe887f8b98a07efa4ed231783552f767202c09 Mon Sep 17 00:00:00 2001
From: johnnyq <johnny@pittpc.com>
Date: Mon, 2 Mar 2026 20:34:55 -0500
Subject: [PATCH] services: Add missing CSRF checks rename unarchive to restore

---
 agent/modals/service/service_add.php  | 1 +
 agent/modals/service/service_edit.php | 1 +
 agent/post/service.php                | 4 ++++
 3 files changed, 6 insertions(+)

diff --git a/agent/modals/service/service_add.php b/agent/modals/service/service_add.php
index 03178148..340d0c97 100644
--- a/agent/modals/service/service_add.php
+++ b/agent/modals/service/service_add.php
@@ -15,6 +15,7 @@ ob_start();
 </div>
 
 <form action="post.php" method="post" autocomplete="off">
+    <input type="hidden" name="csrf_token" value="<?= $_SESSION['csrf_token'] ?>">
 
     <div class="modal-body">
         <?php if ($client_id) { ?>
diff --git a/agent/modals/service/service_edit.php b/agent/modals/service/service_edit.php
index 05e1970a..597198a6 100644
--- a/agent/modals/service/service_edit.php
+++ b/agent/modals/service/service_edit.php
@@ -92,6 +92,7 @@ ob_start();
 </div>
 
 <form action="post.php" method="post" autocomplete="off">
+    <input type="hidden" name="csrf_token" value="<?= $_SESSION['csrf_token'] ?>">
     <input type="hidden" name="client_id" value="<?php echo $client_id ?>">
     <input type="hidden" name="service_id" value="<?php echo $service_id ?>">
 
diff --git a/agent/post/service.php b/agent/post/service.php
index b3523286..b27ceb39 100644
--- a/agent/post/service.php
+++ b/agent/post/service.php
@@ -8,6 +8,8 @@ defined('FROM_POST_HANDLER') || die("Direct file access is not allowed");
 
 if (isset($_POST['add_service'])) {
 
+    validateCSRFToken($_POST['csrf_token']);
+
     enforceUserPermission('module_support', 2);
 
     $client_id = intval($_POST['client_id']);
@@ -84,6 +86,8 @@ if (isset($_POST['add_service'])) {
 
 if (isset($_POST['edit_service'])) {
 
+    validateCSRFToken($_POST['csrf_token']);
+
     enforceUserPermission('module_support', 2);
 
     $client_id = intval($_POST['client_id']);