From 7e515afb792cfd1737c8df53bdad4095bfebf0fd Mon Sep 17 00:00:00 2001 From: johnnyq Date: Mon, 2 Mar 2026 16:38:17 -0500 Subject: [PATCH] Payments: Add missing CSRF and additonal perm check --- agent/modals/payment/invoice_apply_credit.php | 1 + agent/modals/payment/payment_add.php | 1 + agent/modals/payment/payment_bulk_add.php | 1 + agent/modals/payment/payment_edit.php | 1 + agent/modals/payment/payment_export.php | 1 + agent/payments.php | 2 +- agent/post/payment.php | 14 ++++++++++++++ 7 files changed, 20 insertions(+), 1 deletion(-) diff --git a/agent/modals/payment/invoice_apply_credit.php b/agent/modals/payment/invoice_apply_credit.php index 89734089..7a0514b5 100644 --- a/agent/modals/payment/invoice_apply_credit.php +++ b/agent/modals/payment/invoice_apply_credit.php @@ -30,6 +30,7 @@ ob_start();
+
diff --git a/agent/modals/payment/payment_add.php b/agent/modals/payment/payment_add.php index dcfa62c7..e625b942 100644 --- a/agent/modals/payment/payment_add.php +++ b/agent/modals/payment/payment_add.php @@ -43,6 +43,7 @@ ob_start();
+ diff --git a/agent/modals/payment/payment_bulk_add.php b/agent/modals/payment/payment_bulk_add.php index 41f93ecc..a4fe1edb 100644 --- a/agent/modals/payment/payment_bulk_add.php +++ b/agent/modals/payment/payment_bulk_add.php @@ -41,6 +41,7 @@ ob_start(); + diff --git a/agent/modals/payment/payment_edit.php b/agent/modals/payment/payment_edit.php index 38d996be..9aee0218 100644 --- a/agent/modals/payment/payment_edit.php +++ b/agent/modals/payment/payment_edit.php @@ -23,6 +23,7 @@ ob_start(); +
diff --git a/agent/modals/payment/payment_export.php b/agent/modals/payment/payment_export.php index 512d6cd0..bd861fbd 100644 --- a/agent/modals/payment/payment_export.php +++ b/agent/modals/payment/payment_export.php @@ -15,6 +15,7 @@ ob_start();
+
diff --git a/agent/payments.php b/agent/payments.php index 551a3c3c..936b03fe 100644 --- a/agent/payments.php +++ b/agent/payments.php @@ -254,7 +254,7 @@ $num_rows = mysqli_fetch_row(mysqli_query($mysqli, "SELECT FOUND_ROWS()")); Edit
- + Delete
diff --git a/agent/post/payment.php b/agent/post/payment.php index 9060b9a5..49bc069d 100644 --- a/agent/post/payment.php +++ b/agent/post/payment.php @@ -8,6 +8,8 @@ defined('FROM_POST_HANDLER') || die("Direct file access is not allowed"); if (isset($_POST['add_payment'])) { + validateCSRFToken($_POST['csrf_token']); + enforceUserPermission('module_sales', 2); enforceUserPermission('module_financial', 2); @@ -173,6 +175,8 @@ if (isset($_POST['add_payment'])) { if (isset($_POST['edit_payment'])) { + validateCSRFToken($_POST['csrf_token']); + enforceUserPermission('module_sales', 3); enforceUserPermission('module_financial', 3); @@ -198,6 +202,8 @@ Apply Credit Not ready for use 2025-08-27 - JQ if (isset($_POST['apply_credit'])) { + validateCSRFToken($_POST['csrf_token']); + enforceUserPermission('module_sales', 2); enforceUserPermission('module_financial', 2); @@ -685,6 +691,8 @@ if (isset($_GET['add_payment_stripe'])) { if (isset($_POST['add_bulk_payment'])) { + validateCSRFToken($_POST['csrf_token']); + enforceUserPermission('module_sales', 2); enforceUserPermission('module_financial', 2); @@ -817,6 +825,8 @@ if (isset($_POST['add_bulk_payment'])) { if (isset($_GET['delete_payment'])) { + validateCSRFToken($_GET['csrf_token']); + enforceUserPermission('module_sales', 2); enforceUserPermission('module_financial', 2); @@ -871,6 +881,10 @@ if (isset($_GET['delete_payment'])) { if (isset($_POST['export_payments_csv'])) { + validateCSRFToken($_POST['csrf_token']); + + enforceUserPermission('module_financial'); + if ($_POST['client_id']) { $client_id = intval($_POST['client_id']); $client_query = "AND invoice_client_id = $client_id";