AS1024/itflow
1
0
Fork 0
mirror of https://github.com/itflow-org/itflow synced 2026-03-11 08:14:52 +00:00
Code Issues Packages Projects Releases Wiki Activity

document and files and folders: Add missing CSRF checks, add missing permission checks

Browse Source
This commit is contained in:
johnnyq
2026-03-02 20:49:35 -05:00
parent 6bbe887f8b
commit 90171064a8
22 changed files with 101 additions and 19 deletions
Download Patch File Download Diff File Expand all files Collapse all files

44
agent/post/document.php
View File

@@ -8,6 +8,8 @@ defined('FROM_POST_HANDLER') || die("Direct file access is not allowed");
if (isset($_POST['add_document'])) {
validateCSRFToken($_POST['csrf_token']);
enforceUserPermission('module_support', 2);
require_once 'document_model.php';
@@ -51,6 +53,8 @@ if (isset($_POST['add_document'])) {
if (isset($_POST['add_document_from_template'])) {
validateCSRFToken($_POST['csrf_token']);
enforceUserPermission('module_support', 2);
$client_id = intval($_POST['client_id']);
@@ -131,6 +135,8 @@ if (isset($_POST['add_document_from_template'])) {
if (isset($_POST['edit_document'])) {
validateCSRFToken($_POST['csrf_token']);
enforceUserPermission('module_support', 2);
require_once 'document_model.php';
@@ -230,6 +236,8 @@ if (isset($_POST['edit_document'])) {
if (isset($_POST['move_document'])) {
validateCSRFToken($_POST['csrf_token']);
enforceUserPermission('module_support', 2);
$document_id = intval($_POST['document_id']);
@@ -259,6 +267,8 @@ if (isset($_POST['move_document'])) {
if (isset($_POST['rename_document'])) {
validateCSRFToken($_POST['csrf_token']);
enforceUserPermission('module_support', 2);
$document_id = intval($_POST['document_id']);
@@ -284,6 +294,8 @@ if (isset($_POST['rename_document'])) {
if (isset($_POST['bulk_move_document'])) {
validateCSRFToken($_POST['csrf_token']);
enforceUserPermission('module_support', 2);
$folder_id = intval($_POST['bulk_folder_id']);
@@ -322,6 +334,8 @@ if (isset($_POST['bulk_move_document'])) {
if (isset($_POST['link_file_to_document'])) {
validateCSRFToken($_POST['csrf_token']);
enforceUserPermission('module_support', 2);
$document_id = intval($_POST['document_id']);
@@ -349,6 +363,8 @@ if (isset($_POST['link_file_to_document'])) {
if (isset($_GET['unlink_file_from_document'])) {
validateCSRFToken($_GET['csrf_token']);
enforceUserPermission('module_support', 2);
$file_id = intval($_GET['file_id']);
@@ -375,6 +391,8 @@ if (isset($_GET['unlink_file_from_document'])) {
if (isset($_POST['link_vendor_to_document'])) {
validateCSRFToken($_POST['csrf_token']);
enforceUserPermission('module_support', 2);
$document_id = intval($_POST['document_id']);
@@ -402,6 +420,8 @@ if (isset($_POST['link_vendor_to_document'])) {
if (isset($_GET['unlink_vendor_from_document'])) {
validateCSRFToken($_GET['csrf_token']);
enforceUserPermission('module_support', 2);
$vendor_id = intval($_GET['vendor_id']);
@@ -428,6 +448,8 @@ if (isset($_GET['unlink_vendor_from_document'])) {
if (isset($_POST['link_contact_to_document'])) {
validateCSRFToken($_POST['csrf_token']);
enforceUserPermission('module_support', 2);
$client_id = intval($_POST['client_id']);
@@ -456,6 +478,8 @@ if (isset($_POST['link_contact_to_document'])) {
if (isset($_GET['unlink_contact_from_document'])) {
validateCSRFToken($_GET['csrf_token']);
enforceUserPermission('module_support', 2);
$contact_id = intval($_GET['contact_id']);
@@ -482,6 +506,8 @@ if (isset($_GET['unlink_contact_from_document'])) {
if (isset($_POST['link_asset_to_document'])) {
validateCSRFToken($_POST['csrf_token']);
enforceUserPermission('module_support', 2);
$document_id = intval($_POST['document_id']);
@@ -508,6 +534,8 @@ if (isset($_POST['link_asset_to_document'])) {
if (isset($_GET['unlink_asset_from_document'])) {
validateCSRFToken($_GET['csrf_token']);
enforceUserPermission('module_support', 2);
$asset_id = intval($_GET['asset_id']);
@@ -534,6 +562,8 @@ if (isset($_GET['unlink_asset_from_document'])) {
if (isset($_POST['link_software_to_document'])) {
validateCSRFToken($_POST['csrf_token']);
enforceUserPermission('module_support', 2);
$document_id = intval($_POST['document_id']);
@@ -561,6 +591,8 @@ if (isset($_POST['link_software_to_document'])) {
if (isset($_GET['unlink_software_from_document'])) {
validateCSRFToken($_GET['csrf_token']);
enforceUserPermission('module_support', 2);
$software_id = intval($_GET['software_id']);
@@ -587,6 +619,8 @@ if (isset($_GET['unlink_software_from_document'])) {
if (isset($_POST['toggle_document_visibility'])) {
validateCSRFToken($_POST['csrf_token']);
enforceUserPermission('module_support', 2);
$document_id = intval($_POST['document_id']);
@@ -616,6 +650,8 @@ if (isset($_POST['toggle_document_visibility'])) {
if (isset($_GET['export_document'])) {
validateCSRFToken($_GET['csrf_token']);
enforceUserPermission('module_support', 2);
$document_id = intval($_GET['export_document']);
@@ -660,6 +696,8 @@ if (isset($_GET['export_document'])) {
if (isset($_GET['archive_document'])) {
validateCSRFToken($_GET['csrf_token']);
enforceUserPermission('module_support', 2);
$document_id = intval($_GET['archive_document']);
@@ -701,6 +739,8 @@ if (isset($_GET['archive_document'])) {
if (isset($_GET['restore_document'])) {
validateCSRFToken($_GET['csrf_token']);
enforceUserPermission('module_support', 2);
$document_id = intval($_GET['restore_document']);
@@ -723,6 +763,8 @@ if (isset($_GET['restore_document'])) {
if (isset($_GET['delete_document_version'])) {
validateCSRFToken($_GET['csrf_token']);
enforceUserPermission('module_support', 3);
$document_version_id = intval($_GET['delete_document_version']);
@@ -745,6 +787,8 @@ if (isset($_GET['delete_document_version'])) {
if (isset($_GET['delete_document'])) {
validateCSRFToken($_GET['csrf_token']);
enforceUserPermission('module_support', 3);
$document_id = intval($_GET['delete_document']);