Transfers: Add missing CSRF checks

2026-03-11 08:14:52 +00:00 · 2026-03-02 17:38:20 -05:00
parent 550980719e
commit 7b438e2889
4 changed files with 10 additions and 1 deletions
--- a/agent/modals/transfer/transfer_add.php
+++ b/agent/modals/transfer/transfer_add.php
@@ -12,6 +12,8 @@ ob_start();
    </button>
 </div>
 <form action="post.php" method="post" autocomplete="off">
+    <input type="hidden" name="csrf_token" value="<?= $_SESSION['csrf_token'] ?>">
+
    <div class="modal-body">

        <div class="form-row">
--- a/agent/modals/transfer/transfer_edit.php
+++ b/agent/modals/transfer/transfer_edit.php
@@ -33,6 +33,7 @@ ob_start();
    </button>
 </div>
 <form action="post.php" method="post" autocomplete="off">
+    <input type="hidden" name="csrf_token" value="<?= $_SESSION['csrf_token'] ?>">
    <input type="hidden" name="transfer_id" value="<?php echo $transfer_id; ?>">
    <input type="hidden" name="expense_id" value="<?php echo $expense_id; ?>">
    <input type="hidden" name="revenue_id" value="<?php echo $revenue_id; ?>">
--- a/agent/post/transfer.php
+++ b/agent/post/transfer.php
@@ -8,6 +8,8 @@ defined('FROM_POST_HANDLER') || die("Direct file access is not allowed");

 if (isset($_POST['add_transfer'])) {

+    validateCSRFToken($_POST['csrf_token']);
+
    enforceUserPermission('module_financial', 2);

    require_once 'transfer_model.php';
@@ -43,6 +45,8 @@ if (isset($_POST['add_transfer'])) {

 if (isset($_POST['edit_transfer'])) {

+    validateCSRFToken($_POST['csrf_token']);
+
    enforceUserPermission('module_financial', 2);

    require_once 'transfer_model.php';
@@ -67,6 +71,8 @@ if (isset($_POST['edit_transfer'])) {

 if (isset($_GET['delete_transfer'])) {

+    validateCSRFToken($_GET['csrf_token']);
+
    enforceUserPermission('module_financial', 3);

    $transfer_id = intval($_GET['delete_transfer']);
--- a/agent/transfers.php
+++ b/agent/transfers.php
@@ -226,7 +226,7 @@ $num_rows = mysqli_fetch_row(mysqli_query($mysqli, "SELECT FOUND_ROWS()"));
                                            <i class="fas fa-fw fa-edit mr-2"></i>Edit
                                        </a>
                                        <div class="dropdown-divider"></div>
-                                        <a class="dropdown-item text-danger text-bold confirm-link" href="post.php?delete_transfer=<?= $transfer_id ?>">
+                                        <a class="dropdown-item text-danger text-bold confirm-link" href="post.php?delete_transfer=<?= $transfer_id ?>&csrf_token=<?= $_SESSION['csrf_token'] ?>">
                                            <i class="fas fa-fw fa-trash mr-2"></i>Delete
                                        </a>
                                    </div>