AS1024/itflow
1
0
Fork 0
mirror of https://github.com/itflow-org/itflow synced 2026-03-11 00:04:50 +00:00
Code Issues Packages Projects Releases Wiki Activity

document and files and folders: Add missing CSRF checks, add missing permission checks

Browse Source
This commit is contained in:
johnnyq
2026-03-02 20:49:35 -05:00
parent 6bbe887f8b
commit 90171064a8
22 changed files with 101 additions and 19 deletions
Download Patch File Download Diff File Expand all files Collapse all files

18
agent/post/file.php
View File

@@ -8,7 +8,8 @@ defined('FROM_POST_HANDLER') || die("Direct file access is not allowed");
if (isset($_POST['upload_files'])) {
// Enforce required user permission
validateCSRFToken($_POST['csrf_token']);
enforceUserPermission('module_support', 2);
// Sanitize and initialize inputs
@@ -102,6 +103,8 @@ if (isset($_POST['upload_files'])) {
if (isset($_POST['rename_file'])) {
validateCSRFToken($_POST['csrf_token']);
enforceUserPermission('module_support', 2);
$file_id = intval($_POST['file_id']);
@@ -127,6 +130,8 @@ if (isset($_POST['rename_file'])) {
if (isset($_POST['move_file'])) {
validateCSRFToken($_POST['csrf_token']);
enforceUserPermission('module_support', 2);
$file_id = intval($_POST['file_id']);
@@ -153,6 +158,8 @@ if (isset($_POST['move_file'])) {
if (isset($_GET['archive_file'])) {
validateCSRFToken($_GET['csrf_token']);
enforceUserPermission('module_support', 2);
$file_id = intval($_GET['archive_file']);
@@ -175,6 +182,8 @@ if (isset($_GET['archive_file'])) {
if (isset($_GET['restore_file'])) {
validateCSRFToken($_GET['csrf_token']);
enforceUserPermission('module_support', 2);
$file_id = intval($_GET['restore_file']);
@@ -234,7 +243,7 @@ if (isset($_POST['bulk_archive_files'])) {
validateCSRFToken($_POST['csrf_token']);
enforceUserPermission('module_support', 3);
enforceUserPermission('module_support', 2);
// Archive file loop
if (isset($_POST['file_ids'])) {
@@ -429,6 +438,7 @@ if (isset($_POST['bulk_restore_files'])) {
if (isset($_POST['bulk_move_files'])) {
validateCSRFToken($_POST['csrf_token']);
enforceUserPermission('module_support', 2);
$folder_id = intval($_POST['bulk_folder_id']);
@@ -538,6 +548,8 @@ if (isset($_POST['bulk_move_files'])) {
if (isset($_POST['link_asset_to_file'])) {
validateCSRFToken($_POST['csrf_token']);
enforceUserPermission('module_support', 2);
$file_id = intval($_POST['file_id']);
@@ -565,6 +577,8 @@ if (isset($_POST['link_asset_to_file'])) {
if (isset($_GET['unlink_asset_from_file'])) {
validateCSRFToken($_GET['csrf_token']);
enforceUserPermission('module_support', 2);
$asset_id = intval($_GET['asset_id']);