From 90171064a8a5ea29b2d969e3e5e53b696d61aff2 Mon Sep 17 00:00:00 2001
From: johnnyq <johnny@pittpc.com>
Date: Mon, 2 Mar 2026 20:49:35 -0500
Subject: [PATCH] document and files and folders: Add missing CSRF checks, add
 missing permission checks

---
 agent/document_details.php                    | 18 ++++----
 agent/files.php                               | 16 +++----
 agent/modals/document/document_add.php        |  1 +
 .../document/document_add_file_relation.php   |  1 +
 .../document/document_add_from_template.php   |  1 +
 agent/modals/document/document_edit.php       |  1 +
 .../document/document_edit_visibility.php     |  1 +
 agent/modals/document/document_link_asset.php |  1 +
 .../modals/document/document_link_contact.php |  1 +
 agent/modals/document/document_link_file.php  |  1 +
 .../document/document_link_software.php       |  1 +
 .../modals/document/document_link_vendor.php  |  1 +
 agent/modals/document/document_move.php       |  1 +
 agent/modals/document/document_rename.php     |  1 +
 agent/modals/file/file_link_asset.php         |  1 +
 agent/modals/file/file_move.php               |  1 +
 agent/modals/file/file_rename.php             |  1 +
 agent/modals/file/file_upload.php             |  1 +
 agent/post/category.php                       |  2 +
 agent/post/document.php                       | 44 +++++++++++++++++++
 agent/post/file.php                           | 18 +++++++-
 agent/post/folder.php                         |  6 +++
 22 files changed, 101 insertions(+), 19 deletions(-)

diff --git a/agent/document_details.php b/agent/document_details.php
index 9556ed54..169480f2 100644
--- a/agent/document_details.php
+++ b/agent/document_details.php
@@ -192,10 +192,10 @@ $page_title = $row['document_name'];
                     onclick="populateShareModal(<?= "$client_id, 'Document', $document_id"; ?>)">
                     <i class="fas fa-fw fa-share" title="Share"></i>
                 </button>
-                <a class="btn btn-success mr-1" href="post.php?export_document=<?= $document_id ?>"><i class='fas fa-fw fa-file-pdf' title="PDF Export"></i></a>
+                <a class="btn btn-success mr-1" href="post.php?export_document=<?= $document_id ?>&csrf_token=<?= $_SESSION['csrf_token'] ?>"><i class='fas fa-fw fa-file-pdf' title="PDF Export"></i></a>
                 <button type="button" class="btn btn-secondary mr-4" onclick="window.print();"><i class="fas fa-fw fa-print" title="Print"></i></button>
-                <a class="btn btn-warning mr-1 confirm-link" href="post.php?archive_document=<?= $document_id ?>" title="Archive"><i class='fas fa-fw fa-archive'></i></a>
-                <a class="btn btn-danger confirm-link" href="post.php?delete_document=<?= $document_id ?>&from=document_details" title="Delete"><i class='fas fa-fw fa-trash-alt'></i></a>
+                <a class="btn btn-warning mr-1 confirm-link" href="post.php?archive_document=<?= $document_id ?>&csrf_token=<?= $_SESSION['csrf_token'] ?>" title="Archive"><i class='fas fa-fw fa-archive'></i></a>
+                <a class="btn btn-danger confirm-link" href="post.php?delete_document=<?= $document_id ?>&csrf_token=<?= $_SESSION['csrf_token'] ?>&from=document_details" title="Delete"><i class='fas fa-fw fa-trash-alt'></i></a>
             </div>
         </div>
         <div class="card card-body bg-light">
@@ -226,7 +226,7 @@ $page_title = $row['document_name'];
                 ?>
                 <div class="ml-2">
                     <a href="files.php?client_id=<?= $client_id ?>&folder_id=<?= $folder_id ?>&q=<?= $file_name ?>" target="_blank"><?= $file_name ?></a>
-                    <a class="confirm-link" href="post.php?unlink_file_from_document&file_id=<?= $file_id ?>&document_id=<?= $document_id ?>">
+                    <a class="confirm-link" href="post.php?unlink_file_from_document&file_id=<?= $file_id ?>&document_id=<?= $document_id ?>&csrf_token=<?= $_SESSION['csrf_token'] ?>">
                         <i class="fas fa-fw fa-unlink text-secondary float-right" title="Unlink File"></i>
                     </a>
                 </div>
@@ -261,7 +261,7 @@ $page_title = $row['document_name'];
                         data-modal-size="lg"
                         data-modal-url="modals/contact/contact_details.php?id=<?= $contact_id ?>">
                         <?php echo $contact_name; ?></a>
-                    <a class="confirm-link float-right" href="post.php?unlink_contact_from_document&contact_id=<?php echo $contact_id; ?>&document_id=<?php echo $document_id; ?>">
+                    <a class="confirm-link float-right" href="post.php?unlink_contact_from_document&contact_id=<?php echo $contact_id; ?>&document_id=<?php echo $document_id; ?>&csrf_token=<?= $_SESSION['csrf_token'] ?>">
                         <i class="fas fa-fw fa-unlink text-secondary" title="Unlink Contact"></i>
                     </a>
                 </div>
@@ -296,7 +296,7 @@ $page_title = $row['document_name'];
                         data-modal-url="modals/asset/asset_details.php?id=<?= $asset_id ?>">
                         <?php echo $asset_name; ?>
                     </a>
-                    <a class="confirm-link float-right" href="post.php?unlink_asset_from_document&asset_id=<?php echo $asset_id; ?>&document_id=<?php echo $document_id; ?>">
+                    <a class="confirm-link float-right" href="post.php?unlink_asset_from_document&asset_id=<?php echo $asset_id; ?>&document_id=<?php echo $document_id; ?>&csrf_token=<?= $_SESSION['csrf_token'] ?>">
                         <i class="fas fa-fw fa-unlink text-secondary" title="Unlink Asset"></i>
                     </a>
                 </div>
@@ -328,7 +328,7 @@ $page_title = $row['document_name'];
                 ?>
                 <div class="ml-2">
                     <a href="software.php?client_id=<?php echo $client_id; ?>&q=<?php echo $software_name; ?>" target="_blank"><?php echo $software_name; ?></a>
-                    <a class="confirm-link float-right" href="post.php?unlink_software_from_document&software_id=<?php echo $software_id; ?>&document_id=<?php echo $document_id; ?>">
+                    <a class="confirm-link float-right" href="post.php?unlink_software_from_document&software_id=<?php echo $software_id; ?>&document_id=<?php echo $document_id; ?>&csrf_token=<?= $_SESSION['csrf_token'] ?>">
                         <i class="fas fa-fw fa-unlink text-secondary" title="Unlink License"></i>
                     </a>
                 </div>
@@ -362,7 +362,7 @@ $page_title = $row['document_name'];
                     <a class="ajax-modal" href="#" data-modal-url="modals/vendor/vendor_details.php?id=<?= $vendor_id ?>">
                         <?php echo $vendor_name; ?>
                     </a>
-                    <a class="confirm-link float-right" href="post.php?unlink_vendor_from_document&vendor_id=<?php echo $vendor_id; ?>&document_id=<?php echo $document_id; ?>">
+                    <a class="confirm-link float-right" href="post.php?unlink_vendor_from_document&vendor_id=<?php echo $vendor_id; ?>&document_id=<?php echo $document_id; ?>&csrf_token=<?= $_SESSION['csrf_token'] ?>">
                         <i class="fas fa-fw fa-unlink text-secondary" title="Unlink Vendor"></i>
                     </a>
                 </div>
@@ -415,7 +415,7 @@ $page_title = $row['document_name'];
                         data-modal-url="modals/document/document_version_view.php?id=<?= $document_version_id ?>">
                         <?php echo "$document_version_created_date | $document_version_author"; ?>
                     </a>
-                    <a class="confirm-link float-right" href="post.php?delete_document_version=<?php echo $document_version_id; ?>">
+                    <a class="confirm-link float-right" href="post.php?delete_document_version=<?php echo $document_version_id; ?>&csrf_token=<?= $_SESSION['csrf_token'] ?>">
                         <i class="fas fa-fw fa-trash-alt text-secondary"></i>
                     </a>
                 </div>
diff --git a/agent/files.php b/agent/files.php
index 1d426f59..b1d42f77 100644
--- a/agent/files.php
+++ b/agent/files.php
@@ -189,7 +189,7 @@ function display_folders($parent_folder_id, $client_id, $indent = 0, $render_roo
                 </a>
                 <?php if ($session_user_role == 3 && $num_total == 0 && $subfolder_count == 0) { ?>
                     <div class="dropdown-divider"></div>
-                    <a class="dropdown-item text-danger text-bold confirm-link" href="post.php?delete_folder=<?php echo $folder_id; ?>">
+                    <a class="dropdown-item text-danger text-bold confirm-link" href="post.php?delete_folder=<?php echo $folder_id; ?>&csrf_token=<?= $_SESSION['csrf_token'] ?>">
                         <i class="fas fa-fw fa-trash mr-2"></i>Delete
                     </a>
                 <?php } ?>
@@ -641,7 +641,7 @@ $num_root_items = intval($row_root_files['num']) + intval($row_root_docs['num'])
                                             </a>
                                             <?php if ($file_archived_at) { ?>
                                                 <div class="dropdown-divider"></div>
-                                                <a class="dropdown-item text-info" href="post.php?restore_file=<?= $file_id ?>">
+                                                <a class="dropdown-item text-info" href="post.php?restore_file=<?= $file_id ?>&csrf_token=<?= $_SESSION['csrf_token'] ?>">
                                                     <i class="fas fa-fw fa-redo mr-2"></i>Restore
                                                 </a>
                                                 <?php if ($session_user_role == 3) { ?>
@@ -652,7 +652,7 @@ $num_root_items = intval($row_root_files['num']) + intval($row_root_docs['num'])
                                                 <?php } ?>
                                             <?php } else { ?>
                                                 <div class="dropdown-divider"></div>
-                                                <a class="dropdown-item text-danger confirm-link" href="post.php?archive_file=<?= $file_id ?>">
+                                                <a class="dropdown-item text-danger confirm-link" href="post.php?archive_file=<?= $file_id ?>&csrf_token=<?= $_SESSION['csrf_token'] ?>">
                                                     <i class="fas fa-fw fa-archive mr-2"></i>Archive
                                                 </a>
                                             <?php } ?>
@@ -809,7 +809,7 @@ $num_root_items = intval($row_root_files['num']) + intval($row_root_docs['num'])
                                                         </a>
                                                         <?php if ($file_archived_at) { ?>
                                                             <div class="dropdown-divider"></div>
-                                                            <a class="dropdown-item text-info" href="post.php?restore_file=<?= $file_id ?>">
+                                                            <a class="dropdown-item text-info" href="post.php?restore_file=<?= $file_id ?>&csrf_token=<?= $_SESSION['csrf_token'] ?>">
                                                                 <i class="fas fa-fw fa-redo mr-2"></i>Restore
                                                             </a>
                                                             <?php if ($session_user_role == 3) { ?>
@@ -820,7 +820,7 @@ $num_root_items = intval($row_root_files['num']) + intval($row_root_docs['num'])
                                                             <?php } ?>
                                                         <?php } else { ?>
                                                             <div class="dropdown-divider"></div>
-                                                            <a class="dropdown-item text-danger confirm-link" href="post.php?archive_file=<?= $file_id ?>">
+                                                            <a class="dropdown-item text-danger confirm-link" href="post.php?archive_file=<?= $file_id ?>&csrf_token=<?= $_SESSION['csrf_token'] ?>">
                                                                 <i class="fas fa-fw fa-archive mr-2"></i>Archive
                                                             </a>
                                                         <?php } ?>
@@ -928,18 +928,18 @@ $num_root_items = intval($row_root_files['num']) + intval($row_root_docs['num'])
                                                         </a>
                                                         <?php if ($document_archived_at) { ?>
                                                             <div class="dropdown-divider"></div>
-                                                            <a class="dropdown-item text-info" href="post.php?restore_document=<?= $document_id ?>">
+                                                            <a class="dropdown-item text-info" href="post.php?restore_document=<?= $document_id ?>&csrf_token=<?= $_SESSION['csrf_token'] ?>">
                                                                 <i class="fas fa-fw fa-redo mr-2"></i>Restore
                                                             </a>
                                                             <?php if ($session_user_role == 3) { ?>
                                                                 <div class="dropdown-divider"></div>
-                                                                <a class="dropdown-item text-danger text-bold" href="post.php?delete_document=<?= $document_id ?>">
+                                                                <a class="dropdown-item text-danger text-bold" href="post.php?delete_document=<?= $document_id ?>&csrf_token=<?= $_SESSION['csrf_token'] ?>">
                                                                     <i class="fas fa-fw fa-trash mr-2"></i>Delete
                                                                 </a>
                                                             <?php } ?>
                                                         <?php } else { ?>
                                                             <div class="dropdown-divider"></div>
-                                                            <a class="dropdown-item text-danger" href="post.php?archive_document=<?= $document_id ?>">
+                                                            <a class="dropdown-item text-danger" href="post.php?archive_document=<?= $document_id ?>&csrf_token=<?= $_SESSION['csrf_token'] ?>">
                                                                 <i class="fas fa-fw fa-archive mr-2"></i>Archive
                                                             </a>
                                                         <?php } ?>
diff --git a/agent/modals/document/document_add.php b/agent/modals/document/document_add.php
index c3e364bc..4573181e 100644
--- a/agent/modals/document/document_add.php
+++ b/agent/modals/document/document_add.php
@@ -17,6 +17,7 @@ ob_start();
     </button>
 </div>
 <form action="post.php" method="post" autocomplete="off">
+    <input type="hidden" name="csrf_token" value="<?= $_SESSION['csrf_token'] ?>">
     <input type="hidden" name="client_id" value="<?= $client_id ?>">
     <input type="hidden" name="contact" value="<?= $contact_id ?>">
     <input type="hidden" name="asset" value="<?= $asset_id ?>">
diff --git a/agent/modals/document/document_add_file_relation.php b/agent/modals/document/document_add_file_relation.php
index 32816119..ee7276a8 100644
--- a/agent/modals/document/document_add_file_relation.php
+++ b/agent/modals/document/document_add_file_relation.php
@@ -8,6 +8,7 @@
                 </button>
             </div>
             <form action="post.php" method="post" autocomplete="off">
+                <input type="hidden" name="csrf_token" value="<?= $_SESSION['csrf_token'] ?>">
                 <input type="hidden" name="client_id" value="<?php echo $client_id; ?>">
                 <input type="hidden" name="document_id" value="<?php echo $document_id; ?>">
                 <div class="modal-body">
diff --git a/agent/modals/document/document_add_from_template.php b/agent/modals/document/document_add_from_template.php
index 363222bc..e8c9b86a 100644
--- a/agent/modals/document/document_add_from_template.php
+++ b/agent/modals/document/document_add_from_template.php
@@ -18,6 +18,7 @@ ob_start();
     </button>
 </div>
 <form action="post.php" method="post" autocomplete="off">
+    <input type="hidden" name="csrf_token" value="<?= $_SESSION['csrf_token'] ?>">
     <input type="hidden" name="client_id" value="<?php echo $client_id; ?>">
     <div class="modal-body">
 
diff --git a/agent/modals/document/document_edit.php b/agent/modals/document/document_edit.php
index 56586b90..d4d53747 100644
--- a/agent/modals/document/document_edit.php
+++ b/agent/modals/document/document_edit.php
@@ -25,6 +25,7 @@ ob_start();
     </button>
 </div>
 <form action="post.php" method="post" autocomplete="off">
+    <input type="hidden" name="csrf_token" value="<?= $_SESSION['csrf_token'] ?>">
     <input type="hidden" name="document_id" value="<?php echo $document_id; ?>">
     <input type="hidden" name="client_id" value="<?php echo $client_id; ?>">
     <div class="modal-body">
diff --git a/agent/modals/document/document_edit_visibility.php b/agent/modals/document/document_edit_visibility.php
index 6241a2c4..78d224b5 100644
--- a/agent/modals/document/document_edit_visibility.php
+++ b/agent/modals/document/document_edit_visibility.php
@@ -27,6 +27,7 @@ ob_start();
     </button>
 </div>
 <form action="post.php" method="post" autocomplete="off">
+    <input type="hidden" name="csrf_token" value="<?= $_SESSION['csrf_token'] ?>">
     <div class="modal-body">
         <input type="hidden" name="document_id" value="<?= $document_id ?>">
         <div class="form-group">
diff --git a/agent/modals/document/document_link_asset.php b/agent/modals/document/document_link_asset.php
index cab4660a..c9409fd2 100644
--- a/agent/modals/document/document_link_asset.php
+++ b/agent/modals/document/document_link_asset.php
@@ -23,6 +23,7 @@ ob_start();
     </button>
 </div>
 <form action="post.php" method="post" autocomplete="off">
+    <input type="hidden" name="csrf_token" value="<?= $_SESSION['csrf_token'] ?>">
     <input type="hidden" name="document_id" value="<?= $document_id ?>">
     <div class="modal-body">
 
diff --git a/agent/modals/document/document_link_contact.php b/agent/modals/document/document_link_contact.php
index 74cb85d9..d6b1da09 100644
--- a/agent/modals/document/document_link_contact.php
+++ b/agent/modals/document/document_link_contact.php
@@ -24,6 +24,7 @@ ob_start();
     </button>
 </div>
 <form action="post.php" method="post" autocomplete="off">
+    <input type="hidden" name="csrf_token" value="<?= $_SESSION['csrf_token'] ?>">
     <input type="hidden" name="document_id" value="<?= $document_id ?>">
     <div class="modal-body">
 
diff --git a/agent/modals/document/document_link_file.php b/agent/modals/document/document_link_file.php
index 18986935..6bb427b3 100644
--- a/agent/modals/document/document_link_file.php
+++ b/agent/modals/document/document_link_file.php
@@ -24,6 +24,7 @@ ob_start();
     </button>
 </div>
 <form action="post.php" method="post" autocomplete="off">
+    <input type="hidden" name="csrf_token" value="<?= $_SESSION['csrf_token'] ?>">
     <input type="hidden" name="document_id" value="<?= $document_id ?>">
     <div class="modal-body">
 
diff --git a/agent/modals/document/document_link_software.php b/agent/modals/document/document_link_software.php
index 4e13f146..62d4d588 100644
--- a/agent/modals/document/document_link_software.php
+++ b/agent/modals/document/document_link_software.php
@@ -24,6 +24,7 @@ ob_start();
     </button>
 </div>
 <form action="post.php" method="post" autocomplete="off">
+    <input type="hidden" name="csrf_token" value="<?= $_SESSION['csrf_token'] ?>">
     <input type="hidden" name="document_id" value="<?= $document_id ?>">
     <div class="modal-body">
 
diff --git a/agent/modals/document/document_link_vendor.php b/agent/modals/document/document_link_vendor.php
index 1bdec19d..3f738d3e 100644
--- a/agent/modals/document/document_link_vendor.php
+++ b/agent/modals/document/document_link_vendor.php
@@ -24,6 +24,7 @@ ob_start();
     </button>
 </div>
 <form action="post.php" method="post" autocomplete="off">
+    <input type="hidden" name="csrf_token" value="<?= $_SESSION['csrf_token'] ?>">
     <input type="hidden" name="document_id" value="<?= $document_id ?>">
     <div class="modal-body">
 
diff --git a/agent/modals/document/document_move.php b/agent/modals/document/document_move.php
index f68429b0..daf159bb 100644
--- a/agent/modals/document/document_move.php
+++ b/agent/modals/document/document_move.php
@@ -22,6 +22,7 @@ ob_start();
     </button>
 </div>
 <form action="post.php" method="post" autocomplete="off">
+    <input type="hidden" name="csrf_token" value="<?= $_SESSION['csrf_token'] ?>">
     <input type="hidden" name="document_id" value="<?php echo $document_id; ?>">
     <div class="modal-body">
 
diff --git a/agent/modals/document/document_rename.php b/agent/modals/document/document_rename.php
index 8f4a730c..5b61754b 100644
--- a/agent/modals/document/document_rename.php
+++ b/agent/modals/document/document_rename.php
@@ -21,6 +21,7 @@ ob_start();
     </button>
 </div>
 <form action="post.php" method="post" autocomplete="off">
+    <input type="hidden" name="csrf_token" value="<?= $_SESSION['csrf_token'] ?>">
     <input type="hidden" name="document_id" value="<?php echo $document_id; ?>">
     <input type="hidden" name="client_id" value="<?php echo $client_id; ?>">
     <div class="modal-body">
diff --git a/agent/modals/file/file_link_asset.php b/agent/modals/file/file_link_asset.php
index 75d825b9..6a87613c 100644
--- a/agent/modals/file/file_link_asset.php
+++ b/agent/modals/file/file_link_asset.php
@@ -8,6 +8,7 @@
                 </button>
             </div>
             <form action="post.php" method="post" autocomplete="off">
+                <input type="hidden" name="csrf_token" value="<?= $_SESSION['csrf_token'] ?>">
                 <input type="hidden" name="file_id" value="<?php echo $file_id; ?>">
                 <div class="modal-body">
 
diff --git a/agent/modals/file/file_move.php b/agent/modals/file/file_move.php
index 925fe4ce..7685031d 100644
--- a/agent/modals/file/file_move.php
+++ b/agent/modals/file/file_move.php
@@ -45,6 +45,7 @@ ob_start();
     </button>
 </div>
 <form action="post.php" method="post" autocomplete="off">
+    <input type="hidden" name="csrf_token" value="<?= $_SESSION['csrf_token'] ?>">
     <input type="hidden" name="file_id" value="<?php echo $file_id; ?>">
     <div class="modal-body">
 
diff --git a/agent/modals/file/file_rename.php b/agent/modals/file/file_rename.php
index b282810b..20d1010c 100644
--- a/agent/modals/file/file_rename.php
+++ b/agent/modals/file/file_rename.php
@@ -45,6 +45,7 @@ ob_start();
     </button>
 </div>
 <form action="post.php" method="post" autocomplete="off">
+    <input type="hidden" name="csrf_token" value="<?= $_SESSION['csrf_token'] ?>">
     <input type="hidden" name="file_id" value="<?php echo $file_id; ?>">
     <div class="modal-body">
 
diff --git a/agent/modals/file/file_upload.php b/agent/modals/file/file_upload.php
index 90f01efc..ee2c00d9 100644
--- a/agent/modals/file/file_upload.php
+++ b/agent/modals/file/file_upload.php
@@ -17,6 +17,7 @@ ob_start();
     </button>
 </div>
 <form action="post.php" method="post" enctype="multipart/form-data" autocomplete="off">
+    <input type="hidden" name="csrf_token" value="<?= $_SESSION['csrf_token'] ?>">
     <input type="hidden" name="client_id" value="<?php echo $client_id; ?>">
     <input type="hidden" name="contact" value="<?php echo $contact_id; ?>">
     <input type="hidden" name="asset" value="<?php echo $asset_id; ?>">
diff --git a/agent/post/category.php b/agent/post/category.php
index 82d912ca..f011bceb 100644
--- a/agent/post/category.php
+++ b/agent/post/category.php
@@ -8,6 +8,8 @@ defined('FROM_POST_HANDLER') || die("Direct file access is not allowed");
 
 if (isset($_POST['add_category'])) {
 
+    validateCSRFToken($_POST['csrf_token']);
+
     require_once 'category_model.php';
 
     mysqli_query($mysqli,"INSERT INTO categories SET category_name = '$name', category_type = '$type', category_color = '$color'");
diff --git a/agent/post/document.php b/agent/post/document.php
index a4e90411..2307414a 100644
--- a/agent/post/document.php
+++ b/agent/post/document.php
@@ -8,6 +8,8 @@ defined('FROM_POST_HANDLER') || die("Direct file access is not allowed");
 
 if (isset($_POST['add_document'])) {
 
+    validateCSRFToken($_POST['csrf_token']);
+
     enforceUserPermission('module_support', 2);
 
     require_once 'document_model.php';
@@ -51,6 +53,8 @@ if (isset($_POST['add_document'])) {
 
 if (isset($_POST['add_document_from_template'])) {
 
+    validateCSRFToken($_POST['csrf_token']);
+
     enforceUserPermission('module_support', 2);
 
     $client_id             = intval($_POST['client_id']);
@@ -131,6 +135,8 @@ if (isset($_POST['add_document_from_template'])) {
 
 if (isset($_POST['edit_document'])) {
 
+    validateCSRFToken($_POST['csrf_token']);
+
     enforceUserPermission('module_support', 2);
 
     require_once 'document_model.php';
@@ -230,6 +236,8 @@ if (isset($_POST['edit_document'])) {
 
 if (isset($_POST['move_document'])) {
 
+    validateCSRFToken($_POST['csrf_token']);
+
     enforceUserPermission('module_support', 2);
 
     $document_id = intval($_POST['document_id']);
@@ -259,6 +267,8 @@ if (isset($_POST['move_document'])) {
 
 if (isset($_POST['rename_document'])) {
 
+    validateCSRFToken($_POST['csrf_token']);
+
     enforceUserPermission('module_support', 2);
 
     $document_id = intval($_POST['document_id']);
@@ -284,6 +294,8 @@ if (isset($_POST['rename_document'])) {
 
 if (isset($_POST['bulk_move_document'])) {
 
+    validateCSRFToken($_POST['csrf_token']);
+
     enforceUserPermission('module_support', 2);
 
     $folder_id = intval($_POST['bulk_folder_id']);
@@ -322,6 +334,8 @@ if (isset($_POST['bulk_move_document'])) {
 
 if (isset($_POST['link_file_to_document'])) {
 
+    validateCSRFToken($_POST['csrf_token']);
+
     enforceUserPermission('module_support', 2);
 
     $document_id = intval($_POST['document_id']);
@@ -349,6 +363,8 @@ if (isset($_POST['link_file_to_document'])) {
 
 if (isset($_GET['unlink_file_from_document'])) {
 
+    validateCSRFToken($_GET['csrf_token']);
+
     enforceUserPermission('module_support', 2);
 
     $file_id = intval($_GET['file_id']);
@@ -375,6 +391,8 @@ if (isset($_GET['unlink_file_from_document'])) {
 
 if (isset($_POST['link_vendor_to_document'])) {
 
+    validateCSRFToken($_POST['csrf_token']);
+
     enforceUserPermission('module_support', 2);
 
     $document_id = intval($_POST['document_id']);
@@ -402,6 +420,8 @@ if (isset($_POST['link_vendor_to_document'])) {
 
 if (isset($_GET['unlink_vendor_from_document'])) {
 
+    validateCSRFToken($_GET['csrf_token']);
+
     enforceUserPermission('module_support', 2);
 
     $vendor_id = intval($_GET['vendor_id']);
@@ -428,6 +448,8 @@ if (isset($_GET['unlink_vendor_from_document'])) {
 
 if (isset($_POST['link_contact_to_document'])) {
 
+    validateCSRFToken($_POST['csrf_token']);
+
     enforceUserPermission('module_support', 2);
 
     $client_id = intval($_POST['client_id']);
@@ -456,6 +478,8 @@ if (isset($_POST['link_contact_to_document'])) {
 
 if (isset($_GET['unlink_contact_from_document'])) {
 
+    validateCSRFToken($_GET['csrf_token']);
+
     enforceUserPermission('module_support', 2);
 
     $contact_id = intval($_GET['contact_id']);
@@ -482,6 +506,8 @@ if (isset($_GET['unlink_contact_from_document'])) {
 
 if (isset($_POST['link_asset_to_document'])) {
 
+    validateCSRFToken($_POST['csrf_token']);
+
     enforceUserPermission('module_support', 2);
 
     $document_id = intval($_POST['document_id']);
@@ -508,6 +534,8 @@ if (isset($_POST['link_asset_to_document'])) {
 
 if (isset($_GET['unlink_asset_from_document'])) {
 
+    validateCSRFToken($_GET['csrf_token']);
+
     enforceUserPermission('module_support', 2);
 
     $asset_id = intval($_GET['asset_id']);
@@ -534,6 +562,8 @@ if (isset($_GET['unlink_asset_from_document'])) {
 
 if (isset($_POST['link_software_to_document'])) {
 
+    validateCSRFToken($_POST['csrf_token']);
+
     enforceUserPermission('module_support', 2);
 
     $document_id = intval($_POST['document_id']);
@@ -561,6 +591,8 @@ if (isset($_POST['link_software_to_document'])) {
 
 if (isset($_GET['unlink_software_from_document'])) {
 
+    validateCSRFToken($_GET['csrf_token']);
+
     enforceUserPermission('module_support', 2);
 
     $software_id = intval($_GET['software_id']);
@@ -587,6 +619,8 @@ if (isset($_GET['unlink_software_from_document'])) {
 
 if (isset($_POST['toggle_document_visibility'])) {
 
+    validateCSRFToken($_POST['csrf_token']);
+
     enforceUserPermission('module_support', 2);
 
     $document_id = intval($_POST['document_id']);
@@ -616,6 +650,8 @@ if (isset($_POST['toggle_document_visibility'])) {
 
 if (isset($_GET['export_document'])) {
 
+    validateCSRFToken($_GET['csrf_token']);
+
     enforceUserPermission('module_support', 2);
 
     $document_id = intval($_GET['export_document']);
@@ -660,6 +696,8 @@ if (isset($_GET['export_document'])) {
 
 if (isset($_GET['archive_document'])) {
 
+    validateCSRFToken($_GET['csrf_token']);
+
     enforceUserPermission('module_support', 2);
 
     $document_id = intval($_GET['archive_document']);
@@ -701,6 +739,8 @@ if (isset($_GET['archive_document'])) {
 
 if (isset($_GET['restore_document'])) {
 
+    validateCSRFToken($_GET['csrf_token']);
+
     enforceUserPermission('module_support', 2);
 
     $document_id = intval($_GET['restore_document']);
@@ -723,6 +763,8 @@ if (isset($_GET['restore_document'])) {
 
 if (isset($_GET['delete_document_version'])) {
 
+    validateCSRFToken($_GET['csrf_token']);
+
     enforceUserPermission('module_support', 3);
 
     $document_version_id = intval($_GET['delete_document_version']);
@@ -745,6 +787,8 @@ if (isset($_GET['delete_document_version'])) {
 
 if (isset($_GET['delete_document'])) {
 
+    validateCSRFToken($_GET['csrf_token']);
+
     enforceUserPermission('module_support', 3);
 
     $document_id = intval($_GET['delete_document']);
diff --git a/agent/post/file.php b/agent/post/file.php
index 6ac17e97..794c0c6a 100644
--- a/agent/post/file.php
+++ b/agent/post/file.php
@@ -8,7 +8,8 @@ defined('FROM_POST_HANDLER') || die("Direct file access is not allowed");
 
 if (isset($_POST['upload_files'])) {
 
-    // Enforce required user permission
+    validateCSRFToken($_POST['csrf_token']);
+
     enforceUserPermission('module_support', 2);
 
     // Sanitize and initialize inputs
@@ -102,6 +103,8 @@ if (isset($_POST['upload_files'])) {
 
 if (isset($_POST['rename_file'])) {
 
+    validateCSRFToken($_POST['csrf_token']);
+
     enforceUserPermission('module_support', 2);
 
     $file_id = intval($_POST['file_id']);
@@ -127,6 +130,8 @@ if (isset($_POST['rename_file'])) {
 
 if (isset($_POST['move_file'])) {
 
+    validateCSRFToken($_POST['csrf_token']);
+
     enforceUserPermission('module_support', 2);
 
     $file_id = intval($_POST['file_id']);
@@ -153,6 +158,8 @@ if (isset($_POST['move_file'])) {
 
 if (isset($_GET['archive_file'])) {
 
+    validateCSRFToken($_GET['csrf_token']);
+
     enforceUserPermission('module_support', 2);
 
     $file_id = intval($_GET['archive_file']);
@@ -175,6 +182,8 @@ if (isset($_GET['archive_file'])) {
 
 if (isset($_GET['restore_file'])) {
 
+    validateCSRFToken($_GET['csrf_token']);
+
     enforceUserPermission('module_support', 2);
 
     $file_id = intval($_GET['restore_file']);
@@ -234,7 +243,7 @@ if (isset($_POST['bulk_archive_files'])) {
 
     validateCSRFToken($_POST['csrf_token']);
 
-    enforceUserPermission('module_support', 3);
+    enforceUserPermission('module_support', 2);
 
     // Archive file loop
     if (isset($_POST['file_ids'])) {
@@ -429,6 +438,7 @@ if (isset($_POST['bulk_restore_files'])) {
 if (isset($_POST['bulk_move_files'])) {
 
     validateCSRFToken($_POST['csrf_token']);
+
     enforceUserPermission('module_support', 2);
 
     $folder_id = intval($_POST['bulk_folder_id']);
@@ -538,6 +548,8 @@ if (isset($_POST['bulk_move_files'])) {
 
 if (isset($_POST['link_asset_to_file'])) {
 
+    validateCSRFToken($_POST['csrf_token']);
+
     enforceUserPermission('module_support', 2);
 
     $file_id = intval($_POST['file_id']);
@@ -565,6 +577,8 @@ if (isset($_POST['link_asset_to_file'])) {
 
 if (isset($_GET['unlink_asset_from_file'])) {
 
+    validateCSRFToken($_GET['csrf_token']);
+
     enforceUserPermission('module_support', 2);
 
     $asset_id = intval($_GET['asset_id']);
diff --git a/agent/post/folder.php b/agent/post/folder.php
index 08e7e531..416d899e 100644
--- a/agent/post/folder.php
+++ b/agent/post/folder.php
@@ -8,6 +8,8 @@ defined('FROM_POST_HANDLER') || die("Direct file access is not allowed");
 
 if (isset($_POST['create_folder'])) {
 
+    validateCSRFToken($_POST['csrf_token']);
+
     enforceUserPermission('module_support', 2);
 
     $client_id = intval($_POST['client_id']);
@@ -29,6 +31,8 @@ if (isset($_POST['create_folder'])) {
 
 if (isset($_POST['rename_folder'])) {
 
+    validateCSRFToken($_POST['csrf_token']);
+
     enforceUserPermission('module_support', 2);
 
     $folder_id = intval($_POST['folder_id']);
@@ -53,6 +57,8 @@ if (isset($_POST['rename_folder'])) {
 
 if (isset($_GET['delete_folder'])) {
 
+    validateCSRFToken($_GET['csrf_token']);
+
     enforceUserPermission('module_support', 3);
 
     $folder_id = intval($_GET['delete_folder']);