Trips: Add missing CSRF checks, we may need another permission module check for trips for now only admin and financial lv3 can delete a trip

2026-03-11 08:14:52 +00:00 · 2026-03-02 17:50:04 -05:00
parent 7b438e2889
commit 8a1335174d
6 changed files with 20 additions and 1 deletions
--- a/agent/modals/trip/trip_add.php
+++ b/agent/modals/trip/trip_add.php
@@ -14,6 +14,7 @@ ob_start();
    </button>
 </div>
 <form action="post.php" method="post" autocomplete="off">
    <input type="hidden" name="csrf_token" value="<?= $_SESSION['csrf_token'] ?>">
    <div class="modal-body">
--- a/agent/modals/trip/trip_copy.php
+++ b/agent/modals/trip/trip_copy.php
@@ -29,6 +29,8 @@ ob_start();
    </button>
 </div>
 <form action="post.php" method="post" autocomplete="off">
    <input type="hidden" name="csrf_token" value="<?= $_SESSION['csrf_token'] ?>">
    <div class="modal-body">
        <div class="form-row">
--- a/agent/modals/trip/trip_edit.php
+++ b/agent/modals/trip/trip_edit.php
@@ -30,6 +30,7 @@ ob_start();
 </div>
 <form action="post.php" method="post" autocomplete="off">
    <div class="modal-body">
        <input type="hidden" name="csrf_token" value="<?= $_SESSION['csrf_token'] ?>">
        <input type="hidden" name="trip_id" value="<?php echo $trip_id; ?>">
        <div class="form-row">
--- a/agent/modals/trip/trip_export.php
+++ b/agent/modals/trip/trip_export.php
@@ -15,6 +15,7 @@ ob_start();
    </button>
 </div>
 <form action="post.php" method="post" autocomplete="off">
    <input type="hidden" name="csrf_token" value="<?= $_SESSION['csrf_token'] ?>">
    <input type="hidden" name="client_id" value="<?= $client_id ?>">
    <div class="modal-body">
--- a/agent/post/trip.php
+++ b/agent/post/trip.php
@@ -4,10 +4,14 @@
 * ITFlow - GET/POST request handler for trips (accounting related)
 */
 // Todo - JQ 2026-03-02 - Possibly need another Perm for trips
 defined('FROM_POST_HANDLER') || die("Direct file access is not allowed");
 if (isset($_POST['add_trip'])) {
    validateCSRFToken($_POST['csrf_token']);
    require_once 'trip_model.php';
    mysqli_query($mysqli,"INSERT INTO trips SET trip_date = '$date', trip_source = '$source', trip_destination = '$destination', trip_miles = $miles, round_trip = $roundtrip, trip_purpose = '$purpose', trip_user_id = $user_id, trip_client_id = $client_id");
@@ -24,6 +28,8 @@ if (isset($_POST['add_trip'])) {
 if (isset($_POST['edit_trip'])) {
    validateCSRFToken($_POST['csrf_token']);
    require_once 'trip_model.php';
    $trip_id = intval($_POST['trip_id']);
@@ -40,6 +46,10 @@ if (isset($_POST['edit_trip'])) {
 if (isset($_GET['delete_trip'])) {
    validateCSRFToken($_GET['csrf_token']);
    enforceUserPermission('module_financial', 3);
    $trip_id = intval($_GET['delete_trip']);
    // Get Trip Info and Client ID for logging
@@ -60,6 +70,10 @@ if (isset($_GET['delete_trip'])) {
 if (isset($_POST['export_trips_csv'])) {
    validateCSRFToken($_POST['csrf_token']);
    enforceUserPermission('module_financial');
    if ($_POST['client_id']) {
        $client_id = intval($_POST['client_id']);
        $client_query = "AND trip_client_id = $client_id";
--- a/agent/trips.php
+++ b/agent/trips.php
@@ -197,7 +197,7 @@ $num_rows = mysqli_fetch_row(mysqli_query($mysqli, "SELECT FOUND_ROWS()"));
                                            <i class="fa fa-fw fa-copy mr-2"></i>Copy
                                        </a>
                                        <div class="dropdown-divider"></div>
-                                        <a class="dropdown-item text-danger text-bold confirm-link" href="post.php?delete_trip=<?php echo $trip_id; ?>">
+                                        <a class="dropdown-item text-danger text-bold confirm-link" href="post.php?delete_trip=<?= $trip_id ?>&csrf_token=<?= $_SESSION['csrf_token'] ?>">
                                            <i class="fa fa-fw fa-trash mr-2"></i>Delete
                                        </a>
                                    </div>