document and files and folders: Add missing CSRF checks, add missing permission checks

2026-03-11 08:14:52 +00:00 · 2026-03-02 20:49:35 -05:00
parent 6bbe887f8b
commit 90171064a8
22 changed files with 101 additions and 19 deletions
--- a/agent/post/folder.php
+++ b/agent/post/folder.php
@@ -8,6 +8,8 @@ defined('FROM_POST_HANDLER') || die("Direct file access is not allowed");

 if (isset($_POST['create_folder'])) {

+    validateCSRFToken($_POST['csrf_token']);
+
    enforceUserPermission('module_support', 2);

    $client_id = intval($_POST['client_id']);
@@ -29,6 +31,8 @@ if (isset($_POST['create_folder'])) {

 if (isset($_POST['rename_folder'])) {

+    validateCSRFToken($_POST['csrf_token']);
+
    enforceUserPermission('module_support', 2);

    $folder_id = intval($_POST['folder_id']);
@@ -53,6 +57,8 @@ if (isset($_POST['rename_folder'])) {

 if (isset($_GET['delete_folder'])) {

+    validateCSRFToken($_GET['csrf_token']);
+
    enforceUserPermission('module_support', 3);

    $folder_id = intval($_GET['delete_folder']);