document and files and folders: Add missing CSRF checks, add missing permission checks

agent/document_details.php

@@ -192,10 +192,10 @@ $page_title = $row['document_name'];
                     onclick="populateShareModal(<?= "$client_id, 'Document', $document_id"; ?>)">
                     <i class="fas fa-fw fa-share" title="Share"></i>
                 </button>
-                <a class="btn btn-success mr-1" href="post.php?export_document=<?= $document_id ?>"><i class='fas fa-fw fa-file-pdf' title="PDF Export"></i></a>
+                <a class="btn btn-success mr-1" href="post.php?export_document=<?= $document_id ?>&csrf_token=<?= $_SESSION['csrf_token'] ?>"><i class='fas fa-fw fa-file-pdf' title="PDF Export"></i></a>
                 <button type="button" class="btn btn-secondary mr-4" onclick="window.print();"><i class="fas fa-fw fa-print" title="Print"></i></button>
-                <a class="btn btn-warning mr-1 confirm-link" href="post.php?archive_document=<?= $document_id ?>" title="Archive"><i class='fas fa-fw fa-archive'></i></a>
+                <a class="btn btn-warning mr-1 confirm-link" href="post.php?archive_document=<?= $document_id ?>&csrf_token=<?= $_SESSION['csrf_token'] ?>" title="Archive"><i class='fas fa-fw fa-archive'></i></a>
-                <a class="btn btn-danger confirm-link" href="post.php?delete_document=<?= $document_id ?>&from=document_details" title="Delete"><i class='fas fa-fw fa-trash-alt'></i></a>
+                <a class="btn btn-danger confirm-link" href="post.php?delete_document=<?= $document_id ?>&csrf_token=<?= $_SESSION['csrf_token'] ?>&from=document_details" title="Delete"><i class='fas fa-fw fa-trash-alt'></i></a>
             </div>
         </div>
         <div class="card card-body bg-light">
@@ -226,7 +226,7 @@ $page_title = $row['document_name'];
                 ?>
                 <div class="ml-2">
                     <a href="files.php?client_id=<?= $client_id ?>&folder_id=<?= $folder_id ?>&q=<?= $file_name ?>" target="_blank"><?= $file_name ?></a>
-                    <a class="confirm-link" href="post.php?unlink_file_from_document&file_id=<?= $file_id ?>&document_id=<?= $document_id ?>">
+                    <a class="confirm-link" href="post.php?unlink_file_from_document&file_id=<?= $file_id ?>&document_id=<?= $document_id ?>&csrf_token=<?= $_SESSION['csrf_token'] ?>">
                         <i class="fas fa-fw fa-unlink text-secondary float-right" title="Unlink File"></i>
                     </a>
                 </div>
@@ -261,7 +261,7 @@ $page_title = $row['document_name'];
                         data-modal-size="lg"
                         data-modal-url="modals/contact/contact_details.php?id=<?= $contact_id ?>">
                         <?php echo $contact_name; ?></a>
-                    <a class="confirm-link float-right" href="post.php?unlink_contact_from_document&contact_id=<?php echo $contact_id; ?>&document_id=<?php echo $document_id; ?>">
+                    <a class="confirm-link float-right" href="post.php?unlink_contact_from_document&contact_id=<?php echo $contact_id; ?>&document_id=<?php echo $document_id; ?>&csrf_token=<?= $_SESSION['csrf_token'] ?>">
                         <i class="fas fa-fw fa-unlink text-secondary" title="Unlink Contact"></i>
                     </a>
                 </div>
@@ -296,7 +296,7 @@ $page_title = $row['document_name'];
                         data-modal-url="modals/asset/asset_details.php?id=<?= $asset_id ?>">
                         <?php echo $asset_name; ?>
                     </a>
-                    <a class="confirm-link float-right" href="post.php?unlink_asset_from_document&asset_id=<?php echo $asset_id; ?>&document_id=<?php echo $document_id; ?>">
+                    <a class="confirm-link float-right" href="post.php?unlink_asset_from_document&asset_id=<?php echo $asset_id; ?>&document_id=<?php echo $document_id; ?>&csrf_token=<?= $_SESSION['csrf_token'] ?>">
                         <i class="fas fa-fw fa-unlink text-secondary" title="Unlink Asset"></i>
                     </a>
                 </div>
@@ -328,7 +328,7 @@ $page_title = $row['document_name'];
                 ?>
                 <div class="ml-2">
                     <a href="software.php?client_id=<?php echo $client_id; ?>&q=<?php echo $software_name; ?>" target="_blank"><?php echo $software_name; ?></a>
-                    <a class="confirm-link float-right" href="post.php?unlink_software_from_document&software_id=<?php echo $software_id; ?>&document_id=<?php echo $document_id; ?>">
+                    <a class="confirm-link float-right" href="post.php?unlink_software_from_document&software_id=<?php echo $software_id; ?>&document_id=<?php echo $document_id; ?>&csrf_token=<?= $_SESSION['csrf_token'] ?>">
                         <i class="fas fa-fw fa-unlink text-secondary" title="Unlink License"></i>
                     </a>
                 </div>
@@ -362,7 +362,7 @@ $page_title = $row['document_name'];
                     <a class="ajax-modal" href="#" data-modal-url="modals/vendor/vendor_details.php?id=<?= $vendor_id ?>">
                         <?php echo $vendor_name; ?>
                     </a>
-                    <a class="confirm-link float-right" href="post.php?unlink_vendor_from_document&vendor_id=<?php echo $vendor_id; ?>&document_id=<?php echo $document_id; ?>">
+                    <a class="confirm-link float-right" href="post.php?unlink_vendor_from_document&vendor_id=<?php echo $vendor_id; ?>&document_id=<?php echo $document_id; ?>&csrf_token=<?= $_SESSION['csrf_token'] ?>">
                         <i class="fas fa-fw fa-unlink text-secondary" title="Unlink Vendor"></i>
                     </a>
                 </div>
@@ -415,7 +415,7 @@ $page_title = $row['document_name'];
                         data-modal-url="modals/document/document_version_view.php?id=<?= $document_version_id ?>">
                         <?php echo "$document_version_created_date | $document_version_author"; ?>
                     </a>
-                    <a class="confirm-link float-right" href="post.php?delete_document_version=<?php echo $document_version_id; ?>">
+                    <a class="confirm-link float-right" href="post.php?delete_document_version=<?php echo $document_version_id; ?>&csrf_token=<?= $_SESSION['csrf_token'] ?>">
                         <i class="fas fa-fw fa-trash-alt text-secondary"></i>
                     </a>
                 </div>

agent/files.php

@@ -189,7 +189,7 @@ function display_folders($parent_folder_id, $client_id, $indent = 0, $render_roo
                 </a>
                 <?php if ($session_user_role == 3 && $num_total == 0 && $subfolder_count == 0) { ?>
                     <div class="dropdown-divider"></div>
-                    <a class="dropdown-item text-danger text-bold confirm-link" href="post.php?delete_folder=<?php echo $folder_id; ?>">
+                    <a class="dropdown-item text-danger text-bold confirm-link" href="post.php?delete_folder=<?php echo $folder_id; ?>&csrf_token=<?= $_SESSION['csrf_token'] ?>">
                         <i class="fas fa-fw fa-trash mr-2"></i>Delete
                     </a>
                 <?php } ?>
@@ -641,7 +641,7 @@ $num_root_items = intval($row_root_files['num']) + intval($row_root_docs['num'])
                                             </a>
                                             <?php if ($file_archived_at) { ?>
                                                 <div class="dropdown-divider"></div>
-                                                <a class="dropdown-item text-info" href="post.php?restore_file=<?= $file_id ?>">
+                                                <a class="dropdown-item text-info" href="post.php?restore_file=<?= $file_id ?>&csrf_token=<?= $_SESSION['csrf_token'] ?>">
                                                     <i class="fas fa-fw fa-redo mr-2"></i>Restore
                                                 </a>
                                                 <?php if ($session_user_role == 3) { ?>
@@ -652,7 +652,7 @@ $num_root_items = intval($row_root_files['num']) + intval($row_root_docs['num'])
                                                 <?php } ?>
                                             <?php } else { ?>
                                                 <div class="dropdown-divider"></div>
-                                                <a class="dropdown-item text-danger confirm-link" href="post.php?archive_file=<?= $file_id ?>">
+                                                <a class="dropdown-item text-danger confirm-link" href="post.php?archive_file=<?= $file_id ?>&csrf_token=<?= $_SESSION['csrf_token'] ?>">
                                                     <i class="fas fa-fw fa-archive mr-2"></i>Archive
                                                 </a>
                                             <?php } ?>
@@ -809,7 +809,7 @@ $num_root_items = intval($row_root_files['num']) + intval($row_root_docs['num'])
                                                         </a>
                                                         <?php if ($file_archived_at) { ?>
                                                             <div class="dropdown-divider"></div>
-                                                            <a class="dropdown-item text-info" href="post.php?restore_file=<?= $file_id ?>">
+                                                            <a class="dropdown-item text-info" href="post.php?restore_file=<?= $file_id ?>&csrf_token=<?= $_SESSION['csrf_token'] ?>">
                                                                 <i class="fas fa-fw fa-redo mr-2"></i>Restore
                                                             </a>
                                                             <?php if ($session_user_role == 3) { ?>
@@ -820,7 +820,7 @@ $num_root_items = intval($row_root_files['num']) + intval($row_root_docs['num'])
                                                             <?php } ?>
                                                         <?php } else { ?>
                                                             <div class="dropdown-divider"></div>
-                                                            <a class="dropdown-item text-danger confirm-link" href="post.php?archive_file=<?= $file_id ?>">
+                                                            <a class="dropdown-item text-danger confirm-link" href="post.php?archive_file=<?= $file_id ?>&csrf_token=<?= $_SESSION['csrf_token'] ?>">
                                                                 <i class="fas fa-fw fa-archive mr-2"></i>Archive
                                                             </a>
                                                         <?php } ?>
@@ -928,18 +928,18 @@ $num_root_items = intval($row_root_files['num']) + intval($row_root_docs['num'])
                                                         </a>
                                                         <?php if ($document_archived_at) { ?>
                                                             <div class="dropdown-divider"></div>
-                                                            <a class="dropdown-item text-info" href="post.php?restore_document=<?= $document_id ?>">
+                                                            <a class="dropdown-item text-info" href="post.php?restore_document=<?= $document_id ?>&csrf_token=<?= $_SESSION['csrf_token'] ?>">
                                                                 <i class="fas fa-fw fa-redo mr-2"></i>Restore
                                                             </a>
                                                             <?php if ($session_user_role == 3) { ?>
                                                                 <div class="dropdown-divider"></div>
-                                                                <a class="dropdown-item text-danger text-bold" href="post.php?delete_document=<?= $document_id ?>">
+                                                                <a class="dropdown-item text-danger text-bold" href="post.php?delete_document=<?= $document_id ?>&csrf_token=<?= $_SESSION['csrf_token'] ?>">
                                                                     <i class="fas fa-fw fa-trash mr-2"></i>Delete
                                                                 </a>
                                                             <?php } ?>
                                                         <?php } else { ?>
                                                             <div class="dropdown-divider"></div>
-                                                            <a class="dropdown-item text-danger" href="post.php?archive_document=<?= $document_id ?>">
+                                                            <a class="dropdown-item text-danger" href="post.php?archive_document=<?= $document_id ?>&csrf_token=<?= $_SESSION['csrf_token'] ?>">
                                                                 <i class="fas fa-fw fa-archive mr-2"></i>Archive
                                                             </a>
                                                         <?php } ?>

agent/modals/document/document_add.php

@@ -17,6 +17,7 @@ ob_start();
     </button>
 </div>
 <form action="post.php" method="post" autocomplete="off">
+    <input type="hidden" name="csrf_token" value="<?= $_SESSION['csrf_token'] ?>">
     <input type="hidden" name="client_id" value="<?= $client_id ?>">
     <input type="hidden" name="contact" value="<?= $contact_id ?>">
     <input type="hidden" name="asset" value="<?= $asset_id ?>">

agent/modals/document/document_add_file_relation.php

@@ -8,6 +8,7 @@
                 </button>
             </div>
             <form action="post.php" method="post" autocomplete="off">
+                <input type="hidden" name="csrf_token" value="<?= $_SESSION['csrf_token'] ?>">
                 <input type="hidden" name="client_id" value="<?php echo $client_id; ?>">
                 <input type="hidden" name="document_id" value="<?php echo $document_id; ?>">
                 <div class="modal-body">

agent/modals/document/document_add_from_template.php

@@ -18,6 +18,7 @@ ob_start();
     </button>
 </div>
 <form action="post.php" method="post" autocomplete="off">
+    <input type="hidden" name="csrf_token" value="<?= $_SESSION['csrf_token'] ?>">
     <input type="hidden" name="client_id" value="<?php echo $client_id; ?>">
     <div class="modal-body">
 

agent/modals/document/document_edit.php

@@ -25,6 +25,7 @@ ob_start();
     </button>
 </div>
 <form action="post.php" method="post" autocomplete="off">
+    <input type="hidden" name="csrf_token" value="<?= $_SESSION['csrf_token'] ?>">
     <input type="hidden" name="document_id" value="<?php echo $document_id; ?>">
     <input type="hidden" name="client_id" value="<?php echo $client_id; ?>">
     <div class="modal-body">

agent/modals/document/document_edit_visibility.php

@@ -27,6 +27,7 @@ ob_start();
     </button>
 </div>
 <form action="post.php" method="post" autocomplete="off">
+    <input type="hidden" name="csrf_token" value="<?= $_SESSION['csrf_token'] ?>">
     <div class="modal-body">
         <input type="hidden" name="document_id" value="<?= $document_id ?>">
         <div class="form-group">

agent/modals/document/document_link_asset.php

@@ -23,6 +23,7 @@ ob_start();
     </button>
 </div>
 <form action="post.php" method="post" autocomplete="off">
+    <input type="hidden" name="csrf_token" value="<?= $_SESSION['csrf_token'] ?>">
     <input type="hidden" name="document_id" value="<?= $document_id ?>">
     <div class="modal-body">
 

agent/modals/document/document_link_contact.php

@@ -24,6 +24,7 @@ ob_start();
     </button>
 </div>
 <form action="post.php" method="post" autocomplete="off">
+    <input type="hidden" name="csrf_token" value="<?= $_SESSION['csrf_token'] ?>">
     <input type="hidden" name="document_id" value="<?= $document_id ?>">
     <div class="modal-body">
 

agent/modals/document/document_link_file.php

@@ -24,6 +24,7 @@ ob_start();
     </button>
 </div>
 <form action="post.php" method="post" autocomplete="off">
+    <input type="hidden" name="csrf_token" value="<?= $_SESSION['csrf_token'] ?>">
     <input type="hidden" name="document_id" value="<?= $document_id ?>">
     <div class="modal-body">
 

agent/modals/document/document_link_software.php

@@ -24,6 +24,7 @@ ob_start();
     </button>
 </div>
 <form action="post.php" method="post" autocomplete="off">
+    <input type="hidden" name="csrf_token" value="<?= $_SESSION['csrf_token'] ?>">
     <input type="hidden" name="document_id" value="<?= $document_id ?>">
     <div class="modal-body">
 

agent/modals/document/document_link_vendor.php

@@ -24,6 +24,7 @@ ob_start();
     </button>
 </div>
 <form action="post.php" method="post" autocomplete="off">
+    <input type="hidden" name="csrf_token" value="<?= $_SESSION['csrf_token'] ?>">
     <input type="hidden" name="document_id" value="<?= $document_id ?>">
     <div class="modal-body">
 

agent/modals/document/document_move.php

@@ -22,6 +22,7 @@ ob_start();
     </button>
 </div>
 <form action="post.php" method="post" autocomplete="off">
+    <input type="hidden" name="csrf_token" value="<?= $_SESSION['csrf_token'] ?>">
     <input type="hidden" name="document_id" value="<?php echo $document_id; ?>">
     <div class="modal-body">
 

agent/modals/document/document_rename.php

@@ -21,6 +21,7 @@ ob_start();
     </button>
 </div>
 <form action="post.php" method="post" autocomplete="off">
+    <input type="hidden" name="csrf_token" value="<?= $_SESSION['csrf_token'] ?>">
     <input type="hidden" name="document_id" value="<?php echo $document_id; ?>">
     <input type="hidden" name="client_id" value="<?php echo $client_id; ?>">
     <div class="modal-body">

agent/modals/file/file_link_asset.php

@@ -8,6 +8,7 @@
                 </button>
             </div>
             <form action="post.php" method="post" autocomplete="off">
+                <input type="hidden" name="csrf_token" value="<?= $_SESSION['csrf_token'] ?>">
                 <input type="hidden" name="file_id" value="<?php echo $file_id; ?>">
                 <div class="modal-body">
 

agent/modals/file/file_move.php

@@ -45,6 +45,7 @@ ob_start();
     </button>
 </div>
 <form action="post.php" method="post" autocomplete="off">
+    <input type="hidden" name="csrf_token" value="<?= $_SESSION['csrf_token'] ?>">
     <input type="hidden" name="file_id" value="<?php echo $file_id; ?>">
     <div class="modal-body">
 

agent/modals/file/file_rename.php

@@ -45,6 +45,7 @@ ob_start();
     </button>
 </div>
 <form action="post.php" method="post" autocomplete="off">
+    <input type="hidden" name="csrf_token" value="<?= $_SESSION['csrf_token'] ?>">
     <input type="hidden" name="file_id" value="<?php echo $file_id; ?>">
     <div class="modal-body">
 

agent/modals/file/file_upload.php

@@ -17,6 +17,7 @@ ob_start();
     </button>
 </div>
 <form action="post.php" method="post" enctype="multipart/form-data" autocomplete="off">
+    <input type="hidden" name="csrf_token" value="<?= $_SESSION['csrf_token'] ?>">
     <input type="hidden" name="client_id" value="<?php echo $client_id; ?>">
     <input type="hidden" name="contact" value="<?php echo $contact_id; ?>">
     <input type="hidden" name="asset" value="<?php echo $asset_id; ?>">

agent/post/category.php

@@ -8,6 +8,8 @@ defined('FROM_POST_HANDLER') || die("Direct file access is not allowed");
 
 if (isset($_POST['add_category'])) {
 
+    validateCSRFToken($_POST['csrf_token']);
+
     require_once 'category_model.php';
 
     mysqli_query($mysqli,"INSERT INTO categories SET category_name = '$name', category_type = '$type', category_color = '$color'");

agent/post/document.php

@@ -8,6 +8,8 @@ defined('FROM_POST_HANDLER') || die("Direct file access is not allowed");
 
 if (isset($_POST['add_document'])) {
 
+    validateCSRFToken($_POST['csrf_token']);
+
     enforceUserPermission('module_support', 2);
 
     require_once 'document_model.php';
@@ -51,6 +53,8 @@ if (isset($_POST['add_document'])) {
 
 if (isset($_POST['add_document_from_template'])) {
 
+    validateCSRFToken($_POST['csrf_token']);
+
     enforceUserPermission('module_support', 2);
 
     $client_id             = intval($_POST['client_id']);
@@ -131,6 +135,8 @@ if (isset($_POST['add_document_from_template'])) {
 
 if (isset($_POST['edit_document'])) {
 
+    validateCSRFToken($_POST['csrf_token']);
+
     enforceUserPermission('module_support', 2);
 
     require_once 'document_model.php';
@@ -230,6 +236,8 @@ if (isset($_POST['edit_document'])) {
 
 if (isset($_POST['move_document'])) {
 
+    validateCSRFToken($_POST['csrf_token']);
+
     enforceUserPermission('module_support', 2);
 
     $document_id = intval($_POST['document_id']);
@@ -259,6 +267,8 @@ if (isset($_POST['move_document'])) {
 
 if (isset($_POST['rename_document'])) {
 
+    validateCSRFToken($_POST['csrf_token']);
+
     enforceUserPermission('module_support', 2);
 
     $document_id = intval($_POST['document_id']);
@@ -284,6 +294,8 @@ if (isset($_POST['rename_document'])) {
 
 if (isset($_POST['bulk_move_document'])) {
 
+    validateCSRFToken($_POST['csrf_token']);
+
     enforceUserPermission('module_support', 2);
 
     $folder_id = intval($_POST['bulk_folder_id']);
@@ -322,6 +334,8 @@ if (isset($_POST['bulk_move_document'])) {
 
 if (isset($_POST['link_file_to_document'])) {
 
+    validateCSRFToken($_POST['csrf_token']);
+
     enforceUserPermission('module_support', 2);
 
     $document_id = intval($_POST['document_id']);
@@ -349,6 +363,8 @@ if (isset($_POST['link_file_to_document'])) {
 
 if (isset($_GET['unlink_file_from_document'])) {
 
+    validateCSRFToken($_GET['csrf_token']);
+
     enforceUserPermission('module_support', 2);
 
     $file_id = intval($_GET['file_id']);
@@ -375,6 +391,8 @@ if (isset($_GET['unlink_file_from_document'])) {
 
 if (isset($_POST['link_vendor_to_document'])) {
 
+    validateCSRFToken($_POST['csrf_token']);
+
     enforceUserPermission('module_support', 2);
 
     $document_id = intval($_POST['document_id']);
@@ -402,6 +420,8 @@ if (isset($_POST['link_vendor_to_document'])) {
 
 if (isset($_GET['unlink_vendor_from_document'])) {
 
+    validateCSRFToken($_GET['csrf_token']);
+
     enforceUserPermission('module_support', 2);
 
     $vendor_id = intval($_GET['vendor_id']);
@@ -428,6 +448,8 @@ if (isset($_GET['unlink_vendor_from_document'])) {
 
 if (isset($_POST['link_contact_to_document'])) {
 
+    validateCSRFToken($_POST['csrf_token']);
+
     enforceUserPermission('module_support', 2);
 
     $client_id = intval($_POST['client_id']);
@@ -456,6 +478,8 @@ if (isset($_POST['link_contact_to_document'])) {
 
 if (isset($_GET['unlink_contact_from_document'])) {
 
+    validateCSRFToken($_GET['csrf_token']);
+
     enforceUserPermission('module_support', 2);
 
     $contact_id = intval($_GET['contact_id']);
@@ -482,6 +506,8 @@ if (isset($_GET['unlink_contact_from_document'])) {
 
 if (isset($_POST['link_asset_to_document'])) {
 
+    validateCSRFToken($_POST['csrf_token']);
+
     enforceUserPermission('module_support', 2);
 
     $document_id = intval($_POST['document_id']);
@@ -508,6 +534,8 @@ if (isset($_POST['link_asset_to_document'])) {
 
 if (isset($_GET['unlink_asset_from_document'])) {
 
+    validateCSRFToken($_GET['csrf_token']);
+
     enforceUserPermission('module_support', 2);
 
     $asset_id = intval($_GET['asset_id']);
@@ -534,6 +562,8 @@ if (isset($_GET['unlink_asset_from_document'])) {
 
 if (isset($_POST['link_software_to_document'])) {
 
+    validateCSRFToken($_POST['csrf_token']);
+
     enforceUserPermission('module_support', 2);
 
     $document_id = intval($_POST['document_id']);
@@ -561,6 +591,8 @@ if (isset($_POST['link_software_to_document'])) {
 
 if (isset($_GET['unlink_software_from_document'])) {
 
+    validateCSRFToken($_GET['csrf_token']);
+
     enforceUserPermission('module_support', 2);
 
     $software_id = intval($_GET['software_id']);
@@ -587,6 +619,8 @@ if (isset($_GET['unlink_software_from_document'])) {
 
 if (isset($_POST['toggle_document_visibility'])) {
 
+    validateCSRFToken($_POST['csrf_token']);
+
     enforceUserPermission('module_support', 2);
 
     $document_id = intval($_POST['document_id']);
@@ -616,6 +650,8 @@ if (isset($_POST['toggle_document_visibility'])) {
 
 if (isset($_GET['export_document'])) {
 
+    validateCSRFToken($_GET['csrf_token']);
+
     enforceUserPermission('module_support', 2);
 
     $document_id = intval($_GET['export_document']);
@@ -660,6 +696,8 @@ if (isset($_GET['export_document'])) {
 
 if (isset($_GET['archive_document'])) {
 
+    validateCSRFToken($_GET['csrf_token']);
+
     enforceUserPermission('module_support', 2);
 
     $document_id = intval($_GET['archive_document']);
@@ -701,6 +739,8 @@ if (isset($_GET['archive_document'])) {
 
 if (isset($_GET['restore_document'])) {
 
+    validateCSRFToken($_GET['csrf_token']);
+
     enforceUserPermission('module_support', 2);
 
     $document_id = intval($_GET['restore_document']);
@@ -723,6 +763,8 @@ if (isset($_GET['restore_document'])) {
 
 if (isset($_GET['delete_document_version'])) {
 
+    validateCSRFToken($_GET['csrf_token']);
+
     enforceUserPermission('module_support', 3);
 
     $document_version_id = intval($_GET['delete_document_version']);
@@ -745,6 +787,8 @@ if (isset($_GET['delete_document_version'])) {
 
 if (isset($_GET['delete_document'])) {
 
+    validateCSRFToken($_GET['csrf_token']);
+
     enforceUserPermission('module_support', 3);
 
     $document_id = intval($_GET['delete_document']);

agent/post/file.php

@@ -8,7 +8,8 @@ defined('FROM_POST_HANDLER') || die("Direct file access is not allowed");
 
 if (isset($_POST['upload_files'])) {
 
-    // Enforce required user permission
+    validateCSRFToken($_POST['csrf_token']);
+
     enforceUserPermission('module_support', 2);
 
     // Sanitize and initialize inputs
@@ -102,6 +103,8 @@ if (isset($_POST['upload_files'])) {
 
 if (isset($_POST['rename_file'])) {
 
+    validateCSRFToken($_POST['csrf_token']);
+
     enforceUserPermission('module_support', 2);
 
     $file_id = intval($_POST['file_id']);
@@ -127,6 +130,8 @@ if (isset($_POST['rename_file'])) {
 
 if (isset($_POST['move_file'])) {
 
+    validateCSRFToken($_POST['csrf_token']);
+
     enforceUserPermission('module_support', 2);
 
     $file_id = intval($_POST['file_id']);
@@ -153,6 +158,8 @@ if (isset($_POST['move_file'])) {
 
 if (isset($_GET['archive_file'])) {
 
+    validateCSRFToken($_GET['csrf_token']);
+
     enforceUserPermission('module_support', 2);
 
     $file_id = intval($_GET['archive_file']);
@@ -175,6 +182,8 @@ if (isset($_GET['archive_file'])) {
 
 if (isset($_GET['restore_file'])) {
 
+    validateCSRFToken($_GET['csrf_token']);
+
     enforceUserPermission('module_support', 2);
 
     $file_id = intval($_GET['restore_file']);
@@ -234,7 +243,7 @@ if (isset($_POST['bulk_archive_files'])) {
 
     validateCSRFToken($_POST['csrf_token']);
 
-    enforceUserPermission('module_support', 3);
+    enforceUserPermission('module_support', 2);
 
     // Archive file loop
     if (isset($_POST['file_ids'])) {
@@ -429,6 +438,7 @@ if (isset($_POST['bulk_restore_files'])) {
 if (isset($_POST['bulk_move_files'])) {
 
     validateCSRFToken($_POST['csrf_token']);
+
     enforceUserPermission('module_support', 2);
 
     $folder_id = intval($_POST['bulk_folder_id']);
@@ -538,6 +548,8 @@ if (isset($_POST['bulk_move_files'])) {
 
 if (isset($_POST['link_asset_to_file'])) {
 
+    validateCSRFToken($_POST['csrf_token']);
+
     enforceUserPermission('module_support', 2);
 
     $file_id = intval($_POST['file_id']);
@@ -565,6 +577,8 @@ if (isset($_POST['link_asset_to_file'])) {
 
 if (isset($_GET['unlink_asset_from_file'])) {
 
+    validateCSRFToken($_GET['csrf_token']);
+
     enforceUserPermission('module_support', 2);
 
     $asset_id = intval($_GET['asset_id']);

agent/post/folder.php

@@ -8,6 +8,8 @@ defined('FROM_POST_HANDLER') || die("Direct file access is not allowed");
 
 if (isset($_POST['create_folder'])) {
 
+    validateCSRFToken($_POST['csrf_token']);
+
     enforceUserPermission('module_support', 2);
 
     $client_id = intval($_POST['client_id']);
@@ -29,6 +31,8 @@ if (isset($_POST['create_folder'])) {
 
 if (isset($_POST['rename_folder'])) {
 
+    validateCSRFToken($_POST['csrf_token']);
+
     enforceUserPermission('module_support', 2);
 
     $folder_id = intval($_POST['folder_id']);
@@ -53,6 +57,8 @@ if (isset($_POST['rename_folder'])) {
 
 if (isset($_GET['delete_folder'])) {
 
+    validateCSRFToken($_GET['csrf_token']);
+
     enforceUserPermission('module_support', 3);
 
     $folder_id = intval($_GET['delete_folder']);