Trips: Add missing CSRF checks, we may need another permission module check for trips for now only admin and financial lv3 can delete a trip

agent/post/trip.php

@@ -4,10 +4,14 @@
  * ITFlow - GET/POST request handler for trips (accounting related)
  */
 
+ // Todo - JQ 2026-03-02 - Possibly need another Perm for trips
+
 defined('FROM_POST_HANDLER') || die("Direct file access is not allowed");
 
 if (isset($_POST['add_trip'])) {
 
+    validateCSRFToken($_POST['csrf_token']);
+
     require_once 'trip_model.php';
 
     mysqli_query($mysqli,"INSERT INTO trips SET trip_date = '$date', trip_source = '$source', trip_destination = '$destination', trip_miles = $miles, round_trip = $roundtrip, trip_purpose = '$purpose', trip_user_id = $user_id, trip_client_id = $client_id");
@@ -24,6 +28,8 @@ if (isset($_POST['add_trip'])) {
 
 if (isset($_POST['edit_trip'])) {
 
+    validateCSRFToken($_POST['csrf_token']);
+
     require_once 'trip_model.php';
 
     $trip_id = intval($_POST['trip_id']);
@@ -40,6 +46,10 @@ if (isset($_POST['edit_trip'])) {
 
 if (isset($_GET['delete_trip'])) {
 
+    validateCSRFToken($_GET['csrf_token']);
+
+    enforceUserPermission('module_financial', 3);
+
     $trip_id = intval($_GET['delete_trip']);
 
     // Get Trip Info and Client ID for logging
@@ -60,6 +70,10 @@ if (isset($_GET['delete_trip'])) {
 
 if (isset($_POST['export_trips_csv'])) {
 
+    validateCSRFToken($_POST['csrf_token']);
+
+    enforceUserPermission('module_financial');
+
     if ($_POST['client_id']) {
         $client_id = intval($_POST['client_id']);
         $client_query = "AND trip_client_id = $client_id";