From 8a1335174df8d5e8e930aabce41fc62f43d8bb6b Mon Sep 17 00:00:00 2001 From: johnnyq Date: Mon, 2 Mar 2026 17:50:04 -0500 Subject: [PATCH] Trips: Add missing CSRF checks, we may need another permission module check for trips for now only admin and financial lv3 can delete a trip --- agent/modals/trip/trip_add.php | 1 + agent/modals/trip/trip_copy.php | 2 ++ agent/modals/trip/trip_edit.php | 1 + agent/modals/trip/trip_export.php | 1 + agent/post/trip.php | 14 ++++++++++++++ agent/trips.php | 2 +- 6 files changed, 20 insertions(+), 1 deletion(-) diff --git a/agent/modals/trip/trip_add.php b/agent/modals/trip/trip_add.php index 4a57ed27..8863893a 100644 --- a/agent/modals/trip/trip_add.php +++ b/agent/modals/trip/trip_add.php @@ -14,6 +14,7 @@ ob_start();
+
diff --git a/agent/modals/trip/trip_copy.php b/agent/modals/trip/trip_copy.php index 19373aa2..09aa634c 100644 --- a/agent/modals/trip/trip_copy.php +++ b/agent/modals/trip/trip_copy.php @@ -29,6 +29,8 @@ ob_start();
+ +
diff --git a/agent/modals/trip/trip_edit.php b/agent/modals/trip/trip_edit.php index 34fbfd20..814c01a0 100644 --- a/agent/modals/trip/trip_edit.php +++ b/agent/modals/trip/trip_edit.php @@ -30,6 +30,7 @@ ob_start();
+
diff --git a/agent/modals/trip/trip_export.php b/agent/modals/trip/trip_export.php index 407651b0..50ca572d 100644 --- a/agent/modals/trip/trip_export.php +++ b/agent/modals/trip/trip_export.php @@ -15,6 +15,7 @@ ob_start();
+
diff --git a/agent/post/trip.php b/agent/post/trip.php index 9ad8c205..b5a087a6 100644 --- a/agent/post/trip.php +++ b/agent/post/trip.php @@ -4,10 +4,14 @@ * ITFlow - GET/POST request handler for trips (accounting related) */ + // Todo - JQ 2026-03-02 - Possibly need another Perm for trips + defined('FROM_POST_HANDLER') || die("Direct file access is not allowed"); if (isset($_POST['add_trip'])) { + validateCSRFToken($_POST['csrf_token']); + require_once 'trip_model.php'; mysqli_query($mysqli,"INSERT INTO trips SET trip_date = '$date', trip_source = '$source', trip_destination = '$destination', trip_miles = $miles, round_trip = $roundtrip, trip_purpose = '$purpose', trip_user_id = $user_id, trip_client_id = $client_id"); @@ -24,6 +28,8 @@ if (isset($_POST['add_trip'])) { if (isset($_POST['edit_trip'])) { + validateCSRFToken($_POST['csrf_token']); + require_once 'trip_model.php'; $trip_id = intval($_POST['trip_id']); @@ -40,6 +46,10 @@ if (isset($_POST['edit_trip'])) { if (isset($_GET['delete_trip'])) { + validateCSRFToken($_GET['csrf_token']); + + enforceUserPermission('module_financial', 3); + $trip_id = intval($_GET['delete_trip']); // Get Trip Info and Client ID for logging @@ -60,6 +70,10 @@ if (isset($_GET['delete_trip'])) { if (isset($_POST['export_trips_csv'])) { + validateCSRFToken($_POST['csrf_token']); + + enforceUserPermission('module_financial'); + if ($_POST['client_id']) { $client_id = intval($_POST['client_id']); $client_query = "AND trip_client_id = $client_id"; diff --git a/agent/trips.php b/agent/trips.php index dba88586..a2327c8d 100644 --- a/agent/trips.php +++ b/agent/trips.php @@ -197,7 +197,7 @@ $num_rows = mysqli_fetch_row(mysqli_query($mysqli, "SELECT FOUND_ROWS()")); Copy
- + Delete