AS1024/itflow
1
0
Fork 0
mirror of https://github.com/itflow-org/itflow synced 2026-03-11 08:14:52 +00:00
Code Issues Packages Projects Releases Wiki Activity

Payments: Add missing CSRF and additonal perm check

Browse Source
This commit is contained in:
johnnyq
2026-03-02 16:38:17 -05:00
parent dee5085f4a
commit 7e515afb79
7 changed files with 20 additions and 1 deletions
Download Patch File Download Diff File Expand all files Collapse all files

1
agent/modals/payment/invoice_apply_credit.php
View File

@@ -30,6 +30,7 @@ ob_start();
</button> </button>
</div> </div>
<form action="post.php" method="post" autocomplete="off"> <form action="post.php" method="post" autocomplete="off">
<input type="hidden" name="csrf_token" value="<?= $_SESSION['csrf_token'] ?>">
<input type="hidden" name="invoice_id" value="<?php echo $invoice_id; ?>"> <input type="hidden" name="invoice_id" value="<?php echo $invoice_id; ?>">
<div class="modal-body"> <div class="modal-body">

1
agent/modals/payment/payment_add.php
View File

@@ -43,6 +43,7 @@ ob_start();
</button> </button>
</div> </div>
<form action="post.php" method="post" autocomplete="off"> <form action="post.php" method="post" autocomplete="off">
<input type="hidden" name="csrf_token" value="<?= $_SESSION['csrf_token'] ?>">
<input type="hidden" name="invoice_id" value="<?php echo $invoice_id; ?>"> <input type="hidden" name="invoice_id" value="<?php echo $invoice_id; ?>">
<input type="hidden" name="balance" value="<?php echo $balance; ?>"> <input type="hidden" name="balance" value="<?php echo $balance; ?>">
<input type="hidden" name="currency_code" value="<?php echo $client_currency_code; ?>"> <input type="hidden" name="currency_code" value="<?php echo $client_currency_code; ?>">

1
agent/modals/payment/payment_bulk_add.php
View File

@@ -41,6 +41,7 @@ ob_start();
</button> </button>
</div> </div>
<form action="post.php" method="post" autocomplete="off"> <form action="post.php" method="post" autocomplete="off">
<input type="hidden" name="csrf_token" value="<?= $_SESSION['csrf_token'] ?>">
<input type="hidden" name="client_id" value="<?php echo $client_id; ?>"> <input type="hidden" name="client_id" value="<?php echo $client_id; ?>">
<input type="hidden" name="balance" value="<?php echo $balance; ?>"> <input type="hidden" name="balance" value="<?php echo $balance; ?>">
<input type="hidden" name="currency_code" value="<?php echo $client_currency_code; ?>"> <input type="hidden" name="currency_code" value="<?php echo $client_currency_code; ?>">

1
agent/modals/payment/payment_edit.php
View File

@@ -23,6 +23,7 @@ ob_start();
</button> </button>
</div> </div>
<form action="post.php" method="post" autocomplete="off"> <form action="post.php" method="post" autocomplete="off">
<input type="hidden" name="csrf_token" value="<?= $_SESSION['csrf_token'] ?>">
<input type="hidden" name="payment_id" value="<?= $payment_id ?>"> <input type="hidden" name="payment_id" value="<?= $payment_id ?>">
<div class="modal-body"> <div class="modal-body">

1
agent/modals/payment/payment_export.php
View File

@@ -15,6 +15,7 @@ ob_start();
</button> </button>
</div> </div>
<form action="post.php" method="post" autocomplete="off"> <form action="post.php" method="post" autocomplete="off">
<input type="hidden" name="csrf_token" value="<?= $_SESSION['csrf_token'] ?>">
<input type="hidden" name="client_id" value="<?= $client_id ?>"> <input type="hidden" name="client_id" value="<?= $client_id ?>">
<div class="modal-body"> <div class="modal-body">

2
agent/payments.php
View File

@@ -254,7 +254,7 @@ $num_rows = mysqli_fetch_row(mysqli_query($mysqli, "SELECT FOUND_ROWS()"));
<i class="fas fa-fw fa-edit mr-2"></i>Edit <i class="fas fa-fw fa-edit mr-2"></i>Edit
</a> </a>
<div class="dropdown-divider"></div> <div class="dropdown-divider"></div>
<a class="dropdown-item text-danger text-bold confirm-link" href="post.php?delete_payment=<?= $payment_id ?>"> <a class="dropdown-item text-danger text-bold confirm-link" href="post.php?delete_payment=<?= $payment_id ?>&csrf_token=<?= $_SESSION['csrf_token'] ?>">
<i class="fas fa-fw fa-trash mr-2"></i>Delete <i class="fas fa-fw fa-trash mr-2"></i>Delete
</a> </a>
</div> </div>

14
agent/post/payment.php
View File

@@ -8,6 +8,8 @@ defined('FROM_POST_HANDLER') || die("Direct file access is not allowed");
if (isset($_POST['add_payment'])) { if (isset($_POST['add_payment'])) {
validateCSRFToken($_POST['csrf_token']);
enforceUserPermission('module_sales', 2); enforceUserPermission('module_sales', 2);
enforceUserPermission('module_financial', 2); enforceUserPermission('module_financial', 2);
@@ -173,6 +175,8 @@ if (isset($_POST['add_payment'])) {
if (isset($_POST['edit_payment'])) { if (isset($_POST['edit_payment'])) {
validateCSRFToken($_POST['csrf_token']);
enforceUserPermission('module_sales', 3); enforceUserPermission('module_sales', 3);
enforceUserPermission('module_financial', 3); enforceUserPermission('module_financial', 3);
@@ -198,6 +202,8 @@ Apply Credit Not ready for use 2025-08-27 - JQ
if (isset($_POST['apply_credit'])) { if (isset($_POST['apply_credit'])) {
validateCSRFToken($_POST['csrf_token']);
enforceUserPermission('module_sales', 2); enforceUserPermission('module_sales', 2);
enforceUserPermission('module_financial', 2); enforceUserPermission('module_financial', 2);
@@ -685,6 +691,8 @@ if (isset($_GET['add_payment_stripe'])) {
if (isset($_POST['add_bulk_payment'])) { if (isset($_POST['add_bulk_payment'])) {
validateCSRFToken($_POST['csrf_token']);
enforceUserPermission('module_sales', 2); enforceUserPermission('module_sales', 2);
enforceUserPermission('module_financial', 2); enforceUserPermission('module_financial', 2);
@@ -817,6 +825,8 @@ if (isset($_POST['add_bulk_payment'])) {
if (isset($_GET['delete_payment'])) { if (isset($_GET['delete_payment'])) {
validateCSRFToken($_GET['csrf_token']);
enforceUserPermission('module_sales', 2); enforceUserPermission('module_sales', 2);
enforceUserPermission('module_financial', 2); enforceUserPermission('module_financial', 2);
@@ -871,6 +881,10 @@ if (isset($_GET['delete_payment'])) {
if (isset($_POST['export_payments_csv'])) { if (isset($_POST['export_payments_csv'])) {
validateCSRFToken($_POST['csrf_token']);
enforceUserPermission('module_financial');
if ($_POST['client_id']) { if ($_POST['client_id']) {
$client_id = intval($_POST['client_id']); $client_id = intval($_POST['client_id']);
$client_query = "AND invoice_client_id = $client_id"; $client_query = "AND invoice_client_id = $client_id";