AS1024/itflow
1
0
Fork 0
mirror of https://github.com/itflow-org/itflow synced 2026-03-11 08:14:52 +00:00
Code Issues Packages Projects Releases Wiki Activity

services: Add missing CSRF checks rename unarchive to restore

Browse Source
This commit is contained in:
johnnyq
2026-03-02 20:34:55 -05:00
parent b5fb14ec96
commit 6bbe887f8b
3 changed files with 6 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

1
agent/modals/service/service_add.php
View File

@@ -15,6 +15,7 @@ ob_start();
</div> </div>
<form action="post.php" method="post" autocomplete="off"> <form action="post.php" method="post" autocomplete="off">
<input type="hidden" name="csrf_token" value="<?= $_SESSION['csrf_token'] ?>">
<div class="modal-body"> <div class="modal-body">
<?php if ($client_id) { ?> <?php if ($client_id) { ?>

1
agent/modals/service/service_edit.php
View File

@@ -92,6 +92,7 @@ ob_start();
</div> </div>
<form action="post.php" method="post" autocomplete="off"> <form action="post.php" method="post" autocomplete="off">
<input type="hidden" name="csrf_token" value="<?= $_SESSION['csrf_token'] ?>">
<input type="hidden" name="client_id" value="<?php echo $client_id ?>"> <input type="hidden" name="client_id" value="<?php echo $client_id ?>">
<input type="hidden" name="service_id" value="<?php echo $service_id ?>"> <input type="hidden" name="service_id" value="<?php echo $service_id ?>">

4
agent/post/service.php
View File

@@ -8,6 +8,8 @@ defined('FROM_POST_HANDLER') || die("Direct file access is not allowed");
if (isset($_POST['add_service'])) { if (isset($_POST['add_service'])) {
validateCSRFToken($_POST['csrf_token']);
enforceUserPermission('module_support', 2); enforceUserPermission('module_support', 2);
$client_id = intval($_POST['client_id']); $client_id = intval($_POST['client_id']);
@@ -84,6 +86,8 @@ if (isset($_POST['add_service'])) {
if (isset($_POST['edit_service'])) { if (isset($_POST['edit_service'])) {
validateCSRFToken($_POST['csrf_token']);
enforceUserPermission('module_support', 2); enforceUserPermission('module_support', 2);
$client_id = intval($_POST['client_id']); $client_id = intval($_POST['client_id']);