From 918b40afbeac7f7ebab99567e26ae2b6770e7036 Mon Sep 17 00:00:00 2001
From: johnnyq <johnny@pittpc.com>
Date: Mon, 2 Mar 2026 22:15:36 -0500
Subject: [PATCH] Add missing CSRF Checks in admin area and settings

---
 admin/category.php                             |  8 ++++----
 admin/custom_link.php                          |  2 +-
 admin/document_template.php                    |  2 +-
 admin/mail_queue.php                           |  4 ++--
 admin/modals/custom_link/custom_link_add.php   |  1 +
 admin/modals/custom_link/custom_link_edit.php  |  2 +-
 .../document_template_add.php                  |  4 +++-
 .../document_template_edit.php                 |  2 ++
 .../project_template/project_template_add.php  |  1 +
 .../project_template/project_template_edit.php |  1 +
 .../project_template_ticket_template_add.php   |  2 ++
 .../software_template_add.php                  |  2 ++
 .../software_template_edit.php                 |  2 ++
 admin/modals/tag/tag_add.php                   | 12 +++++++-----
 admin/modals/tag/tag_edit.php                  |  2 ++
 .../modals/ticket_status/ticket_status_add.php |  1 +
 .../ticket_status/ticket_status_edit.php       |  2 ++
 .../ticket_template/ticket_template_add.php    |  2 ++
 .../ticket_template/ticket_template_edit.php   |  4 +++-
 .../ticket_template_task_edit.php              |  1 +
 .../vendor_template/vendor_template_add.php    |  1 +
 .../vendor_template/vendor_template_edit.php   |  2 ++
 admin/post/category.php                        | 18 ++++++++++++++----
 admin/post/custom_link.php                     |  6 ++++++
 admin/post/document_template.php               |  8 +++++++-
 admin/post/mail_queue.php                      |  4 ++++
 admin/post/payment_method.php                  | 12 +++++++-----
 admin/post/project_template.php                | 15 +++++++++++++--
 admin/post/settings_company.php                |  2 ++
 admin/post/settings_module.php                 |  2 ++
 admin/post/settings_theme.php                  |  2 ++
 admin/post/settings_ticket.php                 |  4 +++-
 admin/post/software_template.php               |  6 ++++++
 admin/post/tag.php                             | 10 ++++++++--
 admin/post/tax.php                             |  9 +++++++--
 admin/post/ticket_status.php                   |  4 ++++
 admin/post/ticket_template.php                 | 12 +++++++++++-
 admin/post/vendor_template.php                 |  8 +++++++-
 admin/project_template.php                     |  2 +-
 admin/project_template_details.php             |  6 ++++--
 admin/settings_company.php                     |  2 +-
 admin/settings_mail.php                        |  2 +-
 admin/settings_theme.php                       |  2 +-
 admin/software_template.php                    |  2 +-
 admin/tag.php                                  |  2 +-
 admin/ticket_template.php                      |  2 +-
 admin/ticket_template_details.php              |  1 +
 admin/vendor_template.php                      |  2 +-
 48 files changed, 160 insertions(+), 45 deletions(-)

diff --git a/admin/category.php b/admin/category.php
index 6673cab7..7613c9af 100644
--- a/admin/category.php
+++ b/admin/category.php
@@ -135,11 +135,11 @@ $num_rows = mysqli_fetch_row(mysqli_query($mysqli, "SELECT FOUND_ROWS()"));
                                         if ($archived) {
                                             ?>
                                             <a class="dropdown-item text-success confirm-link"
-                                                href="post.php?unarchive_category=<?php echo $category_id; ?>">
-                                                <i class="fas fa-fw fa-archive mr-2"></i>Unarchive
+                                                href="post.php?restore_category=<?php echo $category_id; ?>&csrf_token=<?= $_SESSION['csrf_token'] ?>">
+                                                <i class="fas fa-fw fa-archive mr-2"></i>Restore
                                             </a>
                                             <a class="dropdown-item text-danger confirm-link"
-                                                href="post.php?delete_category=<?php echo $category_id; ?>">
+                                                href="post.php?delete_category=<?php echo $category_id; ?>&csrf_token=<?= $_SESSION['csrf_token'] ?>">
                                                 <i class="fas fa-fw fa-trash mr-2"></i>Delete
                                             </a>
                                             <?php
@@ -150,7 +150,7 @@ $num_rows = mysqli_fetch_row(mysqli_query($mysqli, "SELECT FOUND_ROWS()"));
                                                 <i class="fas fa-fw fa-edit mr-2"></i>Edit
                                             </a>
                                             <a class="dropdown-item text-danger confirm-link"
-                                                href="post.php?archive_category=<?php echo $category_id; ?>">
+                                                href="post.php?archive_category=<?php echo $category_id; ?>&csrf_token=<?= $_SESSION['csrf_token'] ?>">
                                                 <i class="fas fa-fw fa-archive mr-2"></i>Archive
                                             </a>
                                             <?php
diff --git a/admin/custom_link.php b/admin/custom_link.php
index bc0e5051..08eefb79 100644
--- a/admin/custom_link.php
+++ b/admin/custom_link.php
@@ -123,7 +123,7 @@ $num_rows = mysqli_fetch_row(mysqli_query($mysqli, "SELECT FOUND_ROWS()"));
                                             <i class="fas fa-fw fa-edit mr-2"></i>Edit
                                         </a>
                                         <div class="dropdown-divider"></div>
-                                        <a class="dropdown-item text-danger text-bold confirm-link" href="post.php?delete_custom_link=<?php echo $custom_link_id; ?>">
+                                        <a class="dropdown-item text-danger text-bold confirm-link" href="post.php?delete_custom_link=<?php echo $custom_link_id; ?>&csrf_token=<?= $_SESSION['csrf_token'] ?>">
                                             <i class="fas fa-fw fa-trash mr-2"></i>Delete
                                         </a>
                                     </div>
diff --git a/admin/document_template.php b/admin/document_template.php
index 4e867642..c1bfbaf4 100644
--- a/admin/document_template.php
+++ b/admin/document_template.php
@@ -99,7 +99,7 @@
                                         <i class="fas fa-fw fa-edit mr-2"></i>Edit
                                     </a>
                                     <div class="dropdown-divider"></div>
-                                    <a class="dropdown-item text-danger text-bold" href="post.php?delete_document_template=<?php echo $document_template_id; ?>">
+                                    <a class="dropdown-item text-danger text-bold" href="post.php?delete_document_template=<?php echo $document_template_id; ?>&csrf_token=<?= $_SESSION['csrf_token'] ?>">
                                         <i class="fas fa-fw fa-trash mr-2"></i>Delete
                                     </a>
                                 </div>
diff --git a/admin/mail_queue.php b/admin/mail_queue.php
index ff6c469e..af0995a3 100644
--- a/admin/mail_queue.php
+++ b/admin/mail_queue.php
@@ -163,12 +163,12 @@ $num_rows = mysqli_fetch_row(mysqli_query($mysqli, "SELECT FOUND_ROWS()"));
 
                                     <!-- Show force resend if all retries have failed -->
                                     <?php if ($email_status == 2 && $email_attempts > 3) { ?>
-                                        <a class="btn btn-sm btn-success" href="post.php?send_failed_mail=<?php echo $email_id; ?>"><i class="fas fa-fw fa-paper-plane"></i></a>
+                                        <a class="btn btn-sm btn-success" href="post.php?send_failed_mail=<?php echo $email_id; ?>&csrf_token=<?= $_SESSION['csrf_token'] ?>"><i class="fas fa-fw fa-paper-plane"></i></a>
                                     <?php } ?>
 
                                     <!-- Allow cancelling a message if it hasn't yet been picked up (e.g. stuck/bugged) -->
                                     <?php if ($email_status !== 3) { ?>
-                                        <a class="btn btn-sm btn-danger confirm-link" href="post.php?cancel_mail=<?php echo $email_id; ?>"><i class="fas fa-fw fa-trash"></i></a>
+                                        <a class="btn btn-sm btn-danger confirm-link" href="post.php?cancel_mail=<?php echo $email_id; ?>&csrf_token=<?= $_SESSION['csrf_token'] ?>"><i class="fas fa-fw fa-trash"></i></a>
                                     <?php } ?>
 
                                 </td>
diff --git a/admin/modals/custom_link/custom_link_add.php b/admin/modals/custom_link/custom_link_add.php
index 4f63af1c..599236d3 100644
--- a/admin/modals/custom_link/custom_link_add.php
+++ b/admin/modals/custom_link/custom_link_add.php
@@ -13,6 +13,7 @@ ob_start();
     </button>
 </div>
 <form action="post.php" method="post" autocomplete="off">
+    <input type="hidden" name="csrf_token" value="<?php echo $_SESSION['csrf_token'] ?>">
 
     <div class="modal-body">
 
diff --git a/admin/modals/custom_link/custom_link_edit.php b/admin/modals/custom_link/custom_link_edit.php
index 6810797f..cbd07ddf 100644
--- a/admin/modals/custom_link/custom_link_edit.php
+++ b/admin/modals/custom_link/custom_link_edit.php
@@ -24,7 +24,7 @@ ob_start();
     </button>
 </div>
 <form action="post.php" method="post" autocomplete="off">
-
+    <input type="hidden" name="csrf_token" value="<?php echo $_SESSION['csrf_token'] ?>">
     <input type="hidden" name="custom_link_id" value="<?php echo $custom_link_id; ?>">
 
     <div class="modal-body">
diff --git a/admin/modals/document_template/document_template_add.php b/admin/modals/document_template/document_template_add.php
index 52769a3b..70f87ed4 100644
--- a/admin/modals/document_template/document_template_add.php
+++ b/admin/modals/document_template/document_template_add.php
@@ -13,6 +13,8 @@ ob_start();
     </button>
 </div>
 <form action="post.php" method="post" autocomplete="off">
+    <input type="hidden" name="csrf_token" value="<?= $_SESSION['csrf_token'] ?>">
+
     <div class="modal-body">
 
         <div class="form-group">
@@ -39,7 +41,7 @@ ob_start();
         <div class="form-group">
             <input type="text" class="form-control" name="description" placeholder="Enter a short summary">
         </div>
-    
+
     </div>
 
     <div class="modal-footer">
diff --git a/admin/modals/document_template/document_template_edit.php b/admin/modals/document_template/document_template_edit.php
index 33083804..a1decc68 100644
--- a/admin/modals/document_template/document_template_edit.php
+++ b/admin/modals/document_template/document_template_edit.php
@@ -21,7 +21,9 @@ ob_start();
     </button>
 </div>
 <form action="post.php" method="post" autocomplete="off">
+    <input type="hidden" name="csrf_token" value="<?= $_SESSION['csrf_token'] ?>">
     <input type="hidden" name="document_template_id" value="<?php echo $document_template_id; ?>">
+
     <div class="modal-body">
 
         <div class="form-group">
diff --git a/admin/modals/project_template/project_template_add.php b/admin/modals/project_template/project_template_add.php
index b7d8fcf0..6adec963 100644
--- a/admin/modals/project_template/project_template_add.php
+++ b/admin/modals/project_template/project_template_add.php
@@ -12,6 +12,7 @@ ob_start();
     </button>
 </div>
 <form action="post.php" method="post" autocomplete="off">
+    <input type="hidden" name="csrf_token" value="<?= $_SESSION['csrf_token'] ?>">
 
     <div class="modal-body">
         <div class="form-group">
diff --git a/admin/modals/project_template/project_template_edit.php b/admin/modals/project_template/project_template_edit.php
index 37b03df7..f863f896 100644
--- a/admin/modals/project_template/project_template_edit.php
+++ b/admin/modals/project_template/project_template_edit.php
@@ -20,6 +20,7 @@ ob_start();
     </button>
 </div>
 <form action="post.php" method="post" autocomplete="off">
+    <input type="hidden" name="csrf_token" value="<?= $_SESSION['csrf_token'] ?>">
     <input type="hidden" name="project_template_id" value="<?php echo $project_template_id; ?>">
 
     <div class="modal-body">
diff --git a/admin/modals/project_template/project_template_ticket_template_add.php b/admin/modals/project_template/project_template_ticket_template_add.php
index e1a251ed..e5cb6865 100644
--- a/admin/modals/project_template/project_template_ticket_template_add.php
+++ b/admin/modals/project_template/project_template_ticket_template_add.php
@@ -15,7 +15,9 @@ ob_start();
     </button>
 </div>
 <form action="post.php" method="post" autocomplete="off">
+    <input type="hidden" name="csrf_token" value="<?= $_SESSION['csrf_token'] ?>">
     <input type="hidden" name="project_template_id" value="<?php echo $project_template_id; ?>">
+
     <div class="modal-body">
 
         <div class="form-group">
diff --git a/admin/modals/software_template/software_template_add.php b/admin/modals/software_template/software_template_add.php
index f592f7aa..abe132ea 100644
--- a/admin/modals/software_template/software_template_add.php
+++ b/admin/modals/software_template/software_template_add.php
@@ -13,6 +13,8 @@ ob_start();
     </button>
 </div>
 <form action="post.php" method="post" autocomplete="off">
+    <input type="hidden" name="csrf_token" value="<?= $_SESSION['csrf_token'] ?>">
+
     <div class="modal-body">
 
         <div class="form-group">
diff --git a/admin/modals/software_template/software_template_edit.php b/admin/modals/software_template/software_template_edit.php
index 5d4ff75d..d12ccab3 100644
--- a/admin/modals/software_template/software_template_edit.php
+++ b/admin/modals/software_template/software_template_edit.php
@@ -24,7 +24,9 @@ ob_start();
     </button>
 </div>
 <form action="post.php" method="post" autocomplete="off">
+    <input type="hidden" name="csrf_token" value="<?= $_SESSION['csrf_token'] ?>">
     <input type="hidden" name="software_template_id" value="<?php echo $software_template_id; ?>">
+
     <div class="modal-body">
 
         <div class="form-group">
diff --git a/admin/modals/tag/tag_add.php b/admin/modals/tag/tag_add.php
index a878cb58..bb17f6e7 100644
--- a/admin/modals/tag/tag_add.php
+++ b/admin/modals/tag/tag_add.php
@@ -30,7 +30,9 @@ ob_start();
     </button>
 </div>
 <form action="post.php" method="post" autocomplete="off">
+    <input type="hidden" name="csrf_token" value="<?php echo $_SESSION['csrf_token'] ?>">
     <input type="hidden" name="type" value="<?php echo $type; ?>">
+
     <div class="modal-body">
         <div class="form-group">
             <label>Name <strong class="text-danger">*</strong></label>
@@ -41,13 +43,13 @@ ob_start();
                 <input type="text" class="form-control" name="name" placeholder="Tag name" maxlength="200" required autofocus>
             </div>
         </div>
-        
+
         <?php if (isset($_GET['type'])) { ?>
-        
+
         <input type="hidden" name="type" value="<?= $type ?>">
-        
+
         <?php } else { ?>
-        
+
         <div class="form-group">
             <label>Type <strong class="text-danger">*</strong></label>
             <div class="input-group">
@@ -64,7 +66,7 @@ ob_start();
                 </select>
             </div>
         </div>
-    
+
         <?php } ?>
 
         <div class="form-group">
diff --git a/admin/modals/tag/tag_edit.php b/admin/modals/tag/tag_edit.php
index 60c1e7f3..8c038dab 100644
--- a/admin/modals/tag/tag_edit.php
+++ b/admin/modals/tag/tag_edit.php
@@ -35,7 +35,9 @@ ob_start();
     </button>
 </div>
 <form action="post.php" method="post" autocomplete="off">
+    <input type="hidden" name="csrf_token" value="<?php echo $_SESSION['csrf_token'] ?>">
     <input type="hidden" name="tag_id" value="<?php echo $tag_id; ?>">
+
     <div class="modal-body">
 
         <div class="form-group">
diff --git a/admin/modals/ticket_status/ticket_status_add.php b/admin/modals/ticket_status/ticket_status_add.php
index bef9f7ba..0b03d1f9 100644
--- a/admin/modals/ticket_status/ticket_status_add.php
+++ b/admin/modals/ticket_status/ticket_status_add.php
@@ -10,6 +10,7 @@ ob_start();
     </button>
 </div>
 <form action="post.php" method="post" autocomplete="off">
+    <input type="hidden" name="csrf_token" value="<?php echo $_SESSION['csrf_token'] ?>">
 
     <div class="modal-body">
         <div class="form-group">
diff --git a/admin/modals/ticket_status/ticket_status_edit.php b/admin/modals/ticket_status/ticket_status_edit.php
index 8a9e04b2..02a2c89b 100644
--- a/admin/modals/ticket_status/ticket_status_edit.php
+++ b/admin/modals/ticket_status/ticket_status_edit.php
@@ -22,7 +22,9 @@ ob_start();
     </button>
 </div>
 <form action="post.php" method="post" autocomplete="off">
+    <input type="hidden" name="csrf_token" value="<?php echo $_SESSION['csrf_token'] ?>">
     <input type="hidden" name="ticket_status_id" value="<?php echo $ticket_status_id; ?>">
+
     <div class="modal-body">
 
         <div class="form-group">
diff --git a/admin/modals/ticket_template/ticket_template_add.php b/admin/modals/ticket_template/ticket_template_add.php
index 944251b4..a34cee56 100644
--- a/admin/modals/ticket_template/ticket_template_add.php
+++ b/admin/modals/ticket_template/ticket_template_add.php
@@ -12,6 +12,8 @@ ob_start();
     </button>
 </div>
 <form action="post.php" method="post" autocomplete="off">
+    <input type="hidden" name="csrf_token" value="<?= $_SESSION['csrf_token'] ?>">
+
     <div class="modal-body">
 
         <div class="form-group">
diff --git a/admin/modals/ticket_template/ticket_template_edit.php b/admin/modals/ticket_template/ticket_template_edit.php
index ad3ec7be..c8bcd31a 100644
--- a/admin/modals/ticket_template/ticket_template_edit.php
+++ b/admin/modals/ticket_template/ticket_template_edit.php
@@ -9,7 +9,9 @@
                 </button>
             </div>
             <form action="post.php" method="post" autocomplete="off">
+                <input type="hidden" name="csrf_token" value="<?= $_SESSION['csrf_token'] ?>">
                 <input type="hidden" name="ticket_template_id" value="<?php echo $ticket_template_id; ?>">
+
                 <div class="modal-body">
 
                     <div class="form-group">
@@ -45,7 +47,7 @@
                             <input type="text" class="form-control" name="description" value="<?php echo $ticket_template_description; ?>" placeholder="Short description">
                         </div>
                     </div>
-            
+
                 </div>
                 <div class="modal-footer">
                     <button type="submit" name="edit_ticket_template" class="btn btn-primary text-bold"><i class="fa fa-check mr-2"></i>Save</button>
diff --git a/admin/modals/ticket_template/ticket_template_task_edit.php b/admin/modals/ticket_template/ticket_template_task_edit.php
index 2926f087..f3481882 100644
--- a/admin/modals/ticket_template/ticket_template_task_edit.php
+++ b/admin/modals/ticket_template/ticket_template_task_edit.php
@@ -24,6 +24,7 @@ ob_start();
     </button>
 </div>
 <form action="post.php" method="post" autocomplete="off">
+    <input type="hidden" name="csrf_token" value="<?= $_SESSION['csrf_token'] ?>">
     <input type="hidden" name="task_template_id" value="<?php echo $task_template_id; ?>">
 
     <div class="modal-body">
diff --git a/admin/modals/vendor_template/vendor_template_add.php b/admin/modals/vendor_template/vendor_template_add.php
index 31128ba3..dc37a8d4 100644
--- a/admin/modals/vendor_template/vendor_template_add.php
+++ b/admin/modals/vendor_template/vendor_template_add.php
@@ -13,6 +13,7 @@ ob_start();
     </button>
 </div>
 <form action="post.php" method="post" autocomplete="off">
+    <input type="hidden" name="csrf_token" value="<?= $_SESSION['csrf_token'] ?>">
 
     <div class="modal-body">
 
diff --git a/admin/modals/vendor_template/vendor_template_edit.php b/admin/modals/vendor_template/vendor_template_edit.php
index fa4ff314..c7a41a8d 100644
--- a/admin/modals/vendor_template/vendor_template_edit.php
+++ b/admin/modals/vendor_template/vendor_template_edit.php
@@ -31,7 +31,9 @@ ob_start();
     </button>
 </div>
 <form action="post.php" method="post" autocomplete="off">
+    <input type="hidden" name="csrf_token" value="<?= $_SESSION['csrf_token'] ?>">
     <input type="hidden" name="vendor_template_id" value="<?php echo $vendor_template_id; ?>">
+
     <div class="modal-body">
 
         <ul class="nav nav-pills nav-justified mb-3">
diff --git a/admin/post/category.php b/admin/post/category.php
index 569c8552..2a0f11bb 100644
--- a/admin/post/category.php
+++ b/admin/post/category.php
@@ -8,6 +8,8 @@ defined('FROM_POST_HANDLER') || die("Direct file access is not allowed");
 
 if (isset($_POST['add_category'])) {
 
+    validateCSRFToken($_POST['csrf_token']);
+
     require_once 'category_model.php';
 
     mysqli_query($mysqli,"INSERT INTO categories SET category_name = '$name', category_type = '$type', category_color = '$color'");
@@ -24,6 +26,8 @@ if (isset($_POST['add_category'])) {
 
 if (isset($_POST['edit_category'])) {
 
+    validateCSRFToken($_POST['csrf_token']);
+
     require_once 'category_model.php';
 
     $category_id = intval($_POST['category_id']);
@@ -40,6 +44,8 @@ if (isset($_POST['edit_category'])) {
 
 if (isset($_GET['archive_category'])) {
 
+    validateCSRFToken($_GET['csrf_token']);
+
     $category_id = intval($_GET['archive_category']);
 
     // Get Category Name and Type for logging
@@ -58,9 +64,11 @@ if (isset($_GET['archive_category'])) {
 
 }
 
-if (isset($_GET['unarchive_category'])) {
+if (isset($_GET['restore_category'])) {
 
-    $category_id = intval($_GET['unarchive_category']);
+    validateCSRFToken($_GET['csrf_token']);
+
+    $category_id = intval($_GET['retore_category']);
 
     // Get Category Name and Type for logging
     $sql = mysqli_query($mysqli,"SELECT category_name, category_type FROM categories WHERE category_id = $category_id");
@@ -70,9 +78,9 @@ if (isset($_GET['unarchive_category'])) {
 
     mysqli_query($mysqli,"UPDATE categories SET category_archived_at = NULL WHERE category_id = $category_id");
 
-    logAction("Category", "Unarchive", "$session_name unarchived category $category_type $category_name", 0, $category_id);
+    logAction("Category", "Restore", "$session_name retored category $category_type $category_name", 0, $category_id);
 
-    flash_alert("Category $category_type <strong>$category_name</strong> unarchived");
+    flash_alert("Category $category_type <strong>$category_name</strong> restored");
 
     redirect();
 
@@ -80,6 +88,8 @@ if (isset($_GET['unarchive_category'])) {
 
 if (isset($_GET['delete_category'])) {
 
+    validateCSRFToken($_GET['csrf_token']);
+
     $category_id = intval($_GET['delete_category']);
 
     // Get Category Name and Type for logging
diff --git a/admin/post/custom_link.php b/admin/post/custom_link.php
index 0a3c6e66..6adb699b 100644
--- a/admin/post/custom_link.php
+++ b/admin/post/custom_link.php
@@ -8,6 +8,8 @@ defined('FROM_POST_HANDLER') || die("Direct file access is not allowed");
 
 if (isset($_POST['add_custom_link'])) {
 
+    validateCSRFToken($_POST['csrf_token']);
+
     $name = sanitizeInput($_POST['name']);
     $uri = sanitizeInput($_POST['uri']);
     $new_tab = intval($_POST['new_tab'] ?? 0);
@@ -29,6 +31,8 @@ if (isset($_POST['add_custom_link'])) {
 
 if (isset($_POST['edit_custom_link'])) {
 
+    validateCSRFToken($_POST['csrf_token']);
+
     $custom_link_id = intval($_POST['custom_link_id']);
     $name = sanitizeInput($_POST['name']);
     $uri = sanitizeInput($_POST['uri']);
@@ -49,6 +53,8 @@ if (isset($_POST['edit_custom_link'])) {
 
 if (isset($_GET['delete_custom_link'])) {
 
+    validateCSRFToken($_GET['csrf_token']);
+
     $custom_link_id = intval($_GET['delete_custom_link']);
 
     // Get Custom Link name and uri for logging
diff --git a/admin/post/document_template.php b/admin/post/document_template.php
index f0754308..c1bb538f 100644
--- a/admin/post/document_template.php
+++ b/admin/post/document_template.php
@@ -6,11 +6,13 @@ defined('FROM_POST_HANDLER') || die("Direct file access is not allowed");
 
 if (isset($_POST['add_document_template'])) {
 
+    validateCSRFToken($_POST['csrf_token']);
+
     $name = sanitizeInput($_POST['name']);
     $description = sanitizeInput($_POST['description']);
 
     mysqli_query($mysqli,"INSERT INTO document_templates SET document_template_name = '$name', document_template_description = '$description', document_template_content = '', document_template_created_by = $session_user_id");
-    
+
     $document_template_id = mysqli_insert_id($mysqli);
 
     $processed_content = mysqli_escape_string(
@@ -36,6 +38,8 @@ if (isset($_POST['add_document_template'])) {
 
 if (isset($_POST['edit_document_template'])) {
 
+    validateCSRFToken($_POST['csrf_token']);
+
     $document_template_id = intval($_POST['document_template_id']);
     $name = sanitizeInput($_POST['name']);
     $description = sanitizeInput($_POST['description']);
@@ -69,6 +73,8 @@ if (isset($_POST['edit_document_template'])) {
 
 if (isset($_GET['delete_document_template'])) {
 
+    validateCSRFToken($_GET['csrf_token']);
+
     $document_template_id = intval($_GET['delete_document_template']);
 
     $document_template_name = sanitizeInput(getFieldById('document_templates', $document_template_id, 'document_template_name'));
diff --git a/admin/post/mail_queue.php b/admin/post/mail_queue.php
index 3270fad1..c23b5506 100644
--- a/admin/post/mail_queue.php
+++ b/admin/post/mail_queue.php
@@ -4,6 +4,8 @@ defined('FROM_POST_HANDLER') || die("Direct file access is not allowed");
 
 if (isset($_GET['send_failed_mail'])) {
 
+    validateCSRFToken($_GET['csrf_token']);
+
     $email_id = intval($_GET['send_failed_mail']);
 
     mysqli_query($mysqli,"UPDATE email_queue SET email_status = 0, email_attempts = 3 WHERE email_id = $email_id");
@@ -18,6 +20,8 @@ if (isset($_GET['send_failed_mail'])) {
 
 if (isset($_GET['cancel_mail'])) {
 
+    validateCSRFToken($_GET['csrf_token']);
+
     $email_id = intval($_GET['cancel_mail']);
 
     mysqli_query($mysqli,"UPDATE email_queue SET email_status = 2, email_attempts = 99, email_failed_at = NOW() WHERE email_id = $email_id");
diff --git a/admin/post/payment_method.php b/admin/post/payment_method.php
index 6e453cc8..7e6d95d9 100644
--- a/admin/post/payment_method.php
+++ b/admin/post/payment_method.php
@@ -19,7 +19,7 @@ if (isset($_POST['add_payment_method'])) {
     );
 
     mysqli_stmt_bind_param($query, "ss", $name, $description);
-    
+
     mysqli_stmt_execute($query);
 
     logAction("Payment Method", "Create", "$session_name created Payment Method $name");
@@ -33,15 +33,15 @@ if (isset($_POST['add_payment_method'])) {
 if (isset($_POST['edit_payment_method'])) {
 
     validateCSRFToken($_POST['csrf_token']);
-    
+
     $payment_method_id = intval($_POST['payment_method_id']);
     $name = cleanInput($_POST['name']);
     $description = cleanInput($_POST['description']);
 
     $query = mysqli_prepare(
         $mysqli,
-        "UPDATE payment_methods 
-         SET payment_method_name = ?, payment_method_description = ? 
+        "UPDATE payment_methods
+         SET payment_method_name = ?, payment_method_description = ?
          WHERE payment_method_id = ?"
     );
 
@@ -58,7 +58,9 @@ if (isset($_POST['edit_payment_method'])) {
 }
 
 if (isset($_GET['delete_payment_method'])) {
-    
+
+    validateCSRFToken($_GET['csrf_token']);
+
     $payment_method_id = intval($_GET['delete_payment_method']);
 
     $payment_method_name = sanitizeInput(getFieldById('payment_methods', $payment_method_is, 'payment_method_name'));
diff --git a/admin/post/project_template.php b/admin/post/project_template.php
index 747d78a1..fde97587 100644
--- a/admin/post/project_template.php
+++ b/admin/post/project_template.php
@@ -4,6 +4,8 @@ defined('FROM_POST_HANDLER') || die("Direct file access is not allowed");
 
 if (isset($_POST['add_project_template'])) {
 
+    validateCSRFToken($_POST['csrf_token']);
+
     $name = sanitizeInput($_POST['name']);
     $description = sanitizeInput($_POST['description']);
 
@@ -21,6 +23,8 @@ if (isset($_POST['add_project_template'])) {
 
 if (isset($_POST['edit_project_template'])) {
 
+    validateCSRFToken($_POST['csrf_token']);
+
     $project_template_id = intval($_POST['project_template_id']);
     $name = sanitizeInput($_POST['name']);
     $description = sanitizeInput($_POST['description']);
@@ -37,6 +41,8 @@ if (isset($_POST['edit_project_template'])) {
 
 if (isset($_POST['edit_ticket_template_order'])) {
 
+    validateCSRFToken($_POST['csrf_token']);
+
     $ticket_template_id = intval($_POST['ticket_template_id']);
     $project_template_id = intval($_POST['project_template_id']);
     $order = intval($_POST['order']);
@@ -49,6 +55,8 @@ if (isset($_POST['edit_ticket_template_order'])) {
 
 if (isset($_POST['add_ticket_template_to_project_template'])) {
 
+    validateCSRFToken($_POST['csrf_token']);
+
     $project_template_id = intval($_POST['project_template_id']);
     $ticket_template_id = intval($_POST['ticket_template_id']);
     $order = intval($_POST['order']);
@@ -65,7 +73,8 @@ if (isset($_POST['add_ticket_template_to_project_template'])) {
 
 if (isset($_POST['remove_ticket_template_from_project_template'])) {
 
-    validateTechRole();
+    validateCSRFToken($_POST['csrf_token']);
+
     $ticket_template_id = intval($_POST['ticket_template_id']);
     $project_template_id = intval($_POST['project_template_id']);
 
@@ -81,6 +90,8 @@ if (isset($_POST['remove_ticket_template_from_project_template'])) {
 
 if (isset($_GET['delete_project_template'])) {
 
+    validateCSRFToken($_GET['csrf_token']);
+
     $project_template_id = intval($_GET['delete_project_template']);
 
     $project_template_name = sanitizeInput(getFieldById('project_templates', $project_template_id, 'project_template_name'));
@@ -95,5 +106,5 @@ if (isset($_GET['delete_project_template'])) {
     flash_alert("Project Template <strong>$project_template_name</strong> and its associated ticket templates and tasks deleted", 'error');
 
     redirect();
-    
+
 }
diff --git a/admin/post/settings_company.php b/admin/post/settings_company.php
index 72fd531a..bbf400ac 100644
--- a/admin/post/settings_company.php
+++ b/admin/post/settings_company.php
@@ -54,6 +54,8 @@ if (isset($_POST['edit_company'])) {
 
 if (isset($_GET['remove_company_logo'])) {
 
+    validateCSRFToken($_GET['csrf_token']);
+
     $sql = mysqli_query($mysqli,"SELECT company_logo FROM companies");
     $row = mysqli_fetch_assoc($sql);
     $company_logo = $row['company_logo']; // FileSystem Operation Logo is already sanitized
diff --git a/admin/post/settings_module.php b/admin/post/settings_module.php
index f00cc412..da72351c 100644
--- a/admin/post/settings_module.php
+++ b/admin/post/settings_module.php
@@ -4,6 +4,8 @@ defined('FROM_POST_HANDLER') || die("Direct file access is not allowed");
 
 if (isset($_POST['edit_module_settings'])) {
 
+    validateCSRFToken($_POST['csrf_token']);
+
     $config_module_enable_itdoc = intval($_POST['config_module_enable_itdoc'] ?? 0);
     $config_module_enable_ticketing = intval($_POST['config_module_enable_ticketing'] ?? 0);
     $config_module_enable_accounting = intval($_POST['config_module_enable_accounting'] ?? 0);
diff --git a/admin/post/settings_theme.php b/admin/post/settings_theme.php
index f595e0e8..b239ce97 100644
--- a/admin/post/settings_theme.php
+++ b/admin/post/settings_theme.php
@@ -52,6 +52,8 @@ if (isset($_POST['edit_favicon_settings'])) {
 
 if (isset($_GET['reset_favicon'])) {
 
+    validateCSRFToken($_GET['csrf_token']);
+
     if (file_exists("../uploads/favicon.ico")) {
         unlink("../uploads/favicon.ico");
     }
diff --git a/admin/post/settings_ticket.php b/admin/post/settings_ticket.php
index c1a35679..85749ec1 100644
--- a/admin/post/settings_ticket.php
+++ b/admin/post/settings_ticket.php
@@ -4,6 +4,8 @@ defined('FROM_POST_HANDLER') || die("Direct file access is not allowed");
 
 if (isset($_POST['edit_ticket_settings'])) {
 
+    validateCSRFToken($_POST['csrf_token']);
+
     $config_ticket_prefix = sanitizeInput($_POST['config_ticket_prefix']);
     $config_ticket_next_number = intval($_POST['config_ticket_next_number']);
     $config_ticket_email_parse = intval($_POST['config_ticket_email_parse'] ?? 0);
@@ -18,7 +20,7 @@ if (isset($_POST['edit_ticket_settings'])) {
     $config_ticket_moving_columns = intval($_POST['config_ticket_moving_columns']);
     $config_ticket_ordering = intval($_POST['config_ticket_ordering']);
     $config_ticket_timer_autostart = intval($_POST['config_ticket_timer_autostart']);
-    
+
     mysqli_query($mysqli,"UPDATE settings SET config_ticket_prefix = '$config_ticket_prefix', config_ticket_next_number = $config_ticket_next_number, config_ticket_email_parse = $config_ticket_email_parse, config_ticket_email_parse_unknown_senders = $config_ticket_email_parse_unknown_senders, config_ticket_autoclose_hours = $config_ticket_autoclose_hours, config_ticket_new_ticket_notification_email = '$config_ticket_new_ticket_notification_email', config_ticket_default_billable = $config_ticket_default_billable, config_ticket_default_view = $config_ticket_default_view, config_ticket_moving_columns = $config_ticket_moving_columns, config_ticket_ordering = $config_ticket_ordering, config_ticket_timer_autostart = $config_ticket_timer_autostart WHERE company_id = 1");
 
     logAction("Settings", "Edit", "$session_name edited ticket settings");
diff --git a/admin/post/software_template.php b/admin/post/software_template.php
index 1ef95894..5f4e7337 100644
--- a/admin/post/software_template.php
+++ b/admin/post/software_template.php
@@ -6,6 +6,8 @@ defined('FROM_POST_HANDLER') || die("Direct file access is not allowed");
 
 if (isset($_POST['add_software_template'])) {
 
+    validateCSRFToken($_POST['csrf_token']);
+
     $name = sanitizeInput($_POST['name']);
     $version = sanitizeInput($_POST['version']);
     $description = sanitizeInput($_POST['description']);
@@ -27,6 +29,8 @@ if (isset($_POST['add_software_template'])) {
 
 if (isset($_POST['edit_software_template'])) {
 
+    validateCSRFToken($_POST['csrf_token']);
+
     $software_template_id = intval($_POST['software_template_id']);
     $name = sanitizeInput($_POST['name']);
     $version = sanitizeInput($_POST['version']);
@@ -47,6 +51,8 @@ if (isset($_POST['edit_software_template'])) {
 
 if (isset($_GET['delete_software_template'])) {
 
+    validateCSRFToken($_GET['csrf_token']);
+
     $software_template_id = intval($_GET['delete_software_template']);
 
     // Get Software Template Name for logging and alert message
diff --git a/admin/post/tag.php b/admin/post/tag.php
index 815a614c..839c6292 100644
--- a/admin/post/tag.php
+++ b/admin/post/tag.php
@@ -8,6 +8,8 @@ defined('FROM_POST_HANDLER') || die("Direct file access is not allowed");
 
 if (isset($_POST['add_tag'])) {
 
+    validateCSRFToken($_POST['csrf_token']);
+
     require_once 'tag_model.php';
 
     mysqli_query($mysqli,"INSERT INTO tags SET tag_name = '$name', tag_type = $type, tag_color = '$color', tag_icon = '$icon'");
@@ -24,6 +26,8 @@ if (isset($_POST['add_tag'])) {
 
 if (isset($_POST['edit_tag'])) {
 
+    validateCSRFToken($_POST['csrf_token']);
+
     require_once 'post/tag_model.php';
 
     $tag_id = intval($_POST['tag_id']);
@@ -39,9 +43,11 @@ if (isset($_POST['edit_tag'])) {
 }
 
 if (isset($_GET['delete_tag'])) {
-    
+
+    validateCSRFToken($_GET['csrf_token']);
+
     $tag_id = intval($_GET['delete_tag']);
-    
+
     $tag_name = sanitizeInput(getFieldById('tags', $tag_id, 'tag_name'));
 
     mysqli_query($mysqli,"DELETE FROM tags WHERE tag_id = $tag_id");
diff --git a/admin/post/tax.php b/admin/post/tax.php
index 53097516..c7f8c489 100644
--- a/admin/post/tax.php
+++ b/admin/post/tax.php
@@ -9,6 +9,7 @@ defined('FROM_POST_HANDLER') || die("Direct file access is not allowed");
 if (isset($_POST['add_tax'])) {
 
     validateCSRFToken($_POST['csrf_token']);
+
     $name = sanitizeInput($_POST['name']);
     $percent = floatval($_POST['percent']);
 
@@ -27,6 +28,7 @@ if (isset($_POST['add_tax'])) {
 if (isset($_POST['edit_tax'])) {
 
     validateCSRFToken($_POST['csrf_token']);
+
     $tax_id = intval($_POST['tax_id']);
     $name = sanitizeInput($_POST['name']);
     $percent = floatval($_POST['percent']);
@@ -42,8 +44,9 @@ if (isset($_POST['edit_tax'])) {
 }
 
 if (isset($_GET['archive_tax'])) {
-    
+
     validateCSRFToken($_GET['csrf_token']);
+
     $tax_id = intval($_GET['archive_tax']);
 
     $tax_name = sanitizeInput(getFieldById('taxes', $tax_id, 'tax_name'));
@@ -59,7 +62,9 @@ if (isset($_GET['archive_tax'])) {
 }
 
 if (isset($_GET['delete_tax'])) {
-    
+
+    validateCSRFToken($_GET['csrf_token']);
+
     $tax_id = intval($_GET['delete_tax']);
 
     $tax_name = sanitizeInput(getFieldById('taxes', $tax_id, 'tax_name'));
diff --git a/admin/post/ticket_status.php b/admin/post/ticket_status.php
index a5ea3efd..91069a60 100644
--- a/admin/post/ticket_status.php
+++ b/admin/post/ticket_status.php
@@ -4,6 +4,8 @@ defined('FROM_POST_HANDLER') || die("Direct file access is not allowed");
 
 if (isset($_POST['add_ticket_status'])) {
 
+    validateCSRFToken($_POST['csrf_token']);
+
     $name = sanitizeInput($_POST['name']);
     $color = sanitizeInput($_POST['color']);
 
@@ -21,6 +23,8 @@ if (isset($_POST['add_ticket_status'])) {
 
 if (isset($_POST['edit_ticket_status'])) {
 
+    validateCSRFToken($_POST['csrf_token']);
+
     $ticket_status_id = intval($_POST['ticket_status_id']);
     $name = sanitizeInput($_POST['name']);
     $color = sanitizeInput($_POST['color']);
diff --git a/admin/post/ticket_template.php b/admin/post/ticket_template.php
index c968b6df..0fe2a848 100644
--- a/admin/post/ticket_template.php
+++ b/admin/post/ticket_template.php
@@ -10,6 +10,8 @@ require_once '../agent/post/task.php';
 
 if (isset($_POST['add_ticket_template'])) {
 
+    validateCSRFToken($_POST['csrf_token']);
+
     $name = sanitizeInput($_POST['name']);
     $description = sanitizeInput($_POST['description']);
     $subject = sanitizeInput($_POST['subject']);
@@ -34,6 +36,8 @@ if (isset($_POST['add_ticket_template'])) {
 
 if (isset($_POST['edit_ticket_template'])) {
 
+    validateCSRFToken($_POST['csrf_token']);
+
     $ticket_template_id = intval($_POST['ticket_template_id']);
     $name = sanitizeInput($_POST['name']);
     $description = sanitizeInput($_POST['description']);
@@ -52,6 +56,8 @@ if (isset($_POST['edit_ticket_template'])) {
 
 if (isset($_GET['delete_ticket_template'])) {
 
+    validateCSRFToken($_GET['csrf_token']);
+
     $ticket_template_id = intval($_GET['delete_ticket_template']);
 
     $ticket_template_name = sanitizeInput(getFieldById('ticket_templates', $ticket_template_id, 'ticket_template_name'));
@@ -72,6 +78,8 @@ if (isset($_GET['delete_ticket_template'])) {
 
 if (isset($_POST['add_ticket_template_task'])) {
 
+    validateCSRFToken($_POST['csrf_token']);
+
     $ticket_template_id = intval($_POST['ticket_template_id']);
     $task_name = sanitizeInput($_POST['task_name']);
 
@@ -89,6 +97,8 @@ if (isset($_POST['add_ticket_template_task'])) {
 
 if (isset($_GET['delete_task_template'])) {
 
+    validateCSRFToken($_GET['csrf_token']);
+
     $task_template_id = intval($_GET['delete_task_template']);
 
     $task_template_name = sanitizeInput(getFieldById('tags', $task_template_id, 'task_template_name'));
@@ -100,5 +110,5 @@ if (isset($_GET['delete_task_template'])) {
     flash_alert("Task <strong>$task_template_name</strong> deleted", 'error');
 
     redirect();
-    
+
 }
diff --git a/admin/post/vendor_template.php b/admin/post/vendor_template.php
index 34336267..5b0c869e 100644
--- a/admin/post/vendor_template.php
+++ b/admin/post/vendor_template.php
@@ -9,6 +9,8 @@ require_once '../agent/post/vendor.php';
 
 if (isset($_POST['add_vendor_template'])) {
 
+    validateCSRFToken($_POST['csrf_token']);
+
     $name = sanitizeInput($_POST['name']);
     $description = sanitizeInput($_POST['description']);
     $account_number = sanitizeInput($_POST['account_number']);
@@ -37,6 +39,8 @@ if (isset($_POST['add_vendor_template'])) {
 
 if (isset($_POST['edit_vendor_template'])) {
 
+    validateCSRFToken($_POST['csrf_token']);
+
     $vendor_template_id = intval($_POST['vendor_template_id']);
     $name = sanitizeInput($_POST['name']);
     $description = sanitizeInput($_POST['description']);
@@ -140,7 +144,9 @@ if (isset($_POST['edit_vendor_template'])) {
 }
 
 if (isset($_GET['delete_vendor_template'])) {
-    
+
+    validateCSRFToken($_GET['csrf_token']);
+
     $vendor_template_id = intval($_GET['delete_vendor_template']);
 
     $vendor_template_name = sanitizeInput(getFieldById('vendor_templates', $vendor_template_id, 'vendor_template_name'));
diff --git a/admin/project_template.php b/admin/project_template.php
index f0131d27..87e28442 100644
--- a/admin/project_template.php
+++ b/admin/project_template.php
@@ -114,7 +114,7 @@ $num_rows = mysqli_fetch_row(mysqli_query($mysqli, "SELECT FOUND_ROWS()"));
                                     </a>
                                     <?php if($session_user_role == 3) { ?>
                                         <div class="dropdown-divider"></div>
-                                        <a class="dropdown-item text-danger text-bold confirm-link" href="post.php?delete_project_template=<?php echo $project_template_id; ?>">
+                                        <a class="dropdown-item text-danger text-bold confirm-link" href="post.php?delete_project_template=<?php echo $project_template_id; ?>&csrf_token=<?= $_SESSION['csrf_token'] ?>">
                                             <i class="fas fa-fw fa-trash mr-2"></i>Delete
                                         </a>
                                     <?php } ?>
diff --git a/admin/project_template_details.php b/admin/project_template_details.php
index 6039d8f4..59346b2c 100644
--- a/admin/project_template_details.php
+++ b/admin/project_template_details.php
@@ -104,13 +104,13 @@ if (isset($_GET['project_template_id'])) {
                         </a>
                         <?php if ($session_user_role == 3) { ?>
                             <div class="dropdown-divider"></div>
-                            <a class="dropdown-item text-danger text-bold confirm-link" href="post.php?archive_project_template=<?php echo $project_template_id; ?>">
+                            <a class="dropdown-item text-danger text-bold confirm-link" href="post.php?archive_project_template=<?php echo $project_template_id; ?>&csrf_token=<?= $_SESSION['csrf_token'] ?>">
                                 <i class="fas fa-fw fa-archive mr-2"></i>Archive (not yet implemented)
                             </a>
                         <?php } ?>
                         <?php if ($session_user_role == 3) { ?>
                             <div class="dropdown-divider"></div>
-                            <a class="dropdown-item text-danger confirm-link" href="post.php?delete_project_template=<?php echo $project_template_id; ?>">
+                            <a class="dropdown-item text-danger confirm-link" href="post.php?delete_project_template=<?php echo $project_template_id; ?>&csrf_token=<?= $_SESSION['csrf_token'] ?>">
                                 <i class="fas fa-fw fa-trash mr-2"></i>Delete
                             </a>
                         <?php } ?>
@@ -157,6 +157,7 @@ if (isset($_GET['project_template_id'])) {
                             <tr>
                                 <td class="pr-0">
                                     <form action="post.php" method="post" autocomplete="off">
+                                        <input type="hidden" name="csrf_token" value="<?= $_SESSION['csrf_token'] ?>">
                                         <input type="hidden" name="edit_ticket_template_order">
                                         <input type="hidden" name="project_template_id" value="<?php echo $project_template_id; ?>">
                                         <input type="hidden" name="ticket_template_id" value="<?php echo $ticket_template_id; ?>">
@@ -172,6 +173,7 @@ if (isset($_GET['project_template_id'])) {
                                 <td><?php echo $ticket_template_subject; ?></td>
                                 <td>
                                     <form action="post.php" method="post" autocomplete="off">
+                                        <input type="hidden" name="csrf_token" value="<?= $_SESSION['csrf_token'] ?>">
                                         <input type="hidden" name="project_template_id" value="<?php echo $project_template_id; ?>">
                                         <input type="hidden" name="ticket_template_id" value="<?php echo $ticket_template_id; ?>">
                                         <button type="submit" class="btn btn-default btn-sm confirm-link"
diff --git a/admin/settings_company.php b/admin/settings_company.php
index b5a5df27..94eb9797 100644
--- a/admin/settings_company.php
+++ b/admin/settings_company.php
@@ -37,7 +37,7 @@ $company_initials = nullable_htmlentities(initials($company_name));
                         <div class="col-md-3 text-center">
                             <?php if ($company_logo) { ?>
                                 <img class="img-thumbnail" src="<?php echo "../uploads/settings/$company_logo"; ?>">
-                                <a href="post.php?remove_company_logo" class="btn btn-outline-danger btn-block">Remove Logo</a>
+                                <a href="post.php?remove_company_logo&csrf_token=<?= $_SESSION['csrf_token'] ?>" class="btn btn-outline-danger btn-block">Remove Logo</a>
                                 <hr>
                             <?php } ?>
                             <div class="form-group">
diff --git a/admin/settings_mail.php b/admin/settings_mail.php
index 923739cd..ffae37b0 100644
--- a/admin/settings_mail.php
+++ b/admin/settings_mail.php
@@ -260,7 +260,7 @@ require_once "includes/inc_all_admin.php";
                         <input type="text" class="form-control" readonly value="<?php echo htmlspecialchars($mail_oauth_callback_uri); ?>">
                         <div class="input-group-append">
                             <button type="submit" name="oauth_connect_microsoft_mail" class="btn btn-outline-primary">
-                                <i class="fas fa-fw fa-sign-in-alt mr-2"></i>Connect Microsoft 365
+                                <i class="fab fa-fw fa-microsoft mr-2"></i>Connect Microsoft 365
                             </button>
                         </div>
                     </div>
diff --git a/admin/settings_theme.php b/admin/settings_theme.php
index 742a4822..80957ff1 100644
--- a/admin/settings_theme.php
+++ b/admin/settings_theme.php
@@ -58,7 +58,7 @@ require_once "includes/inc_all_admin.php";
 
                 <button type="submit" name="edit_favicon_settings" class="btn btn-primary text-bold"><i class="fa fa-check mr-2"></i>Upload Icon</button>
                 <?php if(file_exists("../uploads/favicon.ico")) { ?>
-                <a href="post.php?reset_favicon" class="btn btn-outline-danger"><i class="fas fa-redo-alt mr-2"></i>Reset Favicon</a>
+                <a href="post.php?reset_favicon&csrf_token=<?= $_SESSION['csrf_token'] ?>" class="btn btn-outline-danger"><i class="fas fa-redo-alt mr-2"></i>Reset Favicon</a>
                 <?php } ?>
             </form>
         </div>
diff --git a/admin/software_template.php b/admin/software_template.php
index 5bd63d59..2b191c17 100644
--- a/admin/software_template.php
+++ b/admin/software_template.php
@@ -103,7 +103,7 @@ $num_rows = mysqli_fetch_row(mysqli_query($mysqli, "SELECT FOUND_ROWS()"));
                                     </a>
                                     <?php if($session_user_role == 3) { ?>
                                         <div class="dropdown-divider"></div>
-                                        <a class="dropdown-item text-danger text-bold confirm-link" href="post.php?delete_software_template=<?php echo $software_template_id; ?>">
+                                        <a class="dropdown-item text-danger text-bold confirm-link" href="post.php?delete_software_template=<?php echo $software_template_id; ?>&csrf_token=<?= $_SESSION['csrf_token'] ?>">
                                             <i class="fas fa-fw fa-trash mr-2"></i>Delete
                                         </a>
                                     <?php } ?>
diff --git a/admin/tag.php b/admin/tag.php
index 94b3f8d8..94e19109 100644
--- a/admin/tag.php
+++ b/admin/tag.php
@@ -142,7 +142,7 @@ $num_rows = mysqli_fetch_row(mysqli_query($mysqli, "SELECT FOUND_ROWS()"));
                                             <i class="fas fa-fw fa-edit mr-2"></i>Edit
                                         </a>
                                         <div class="dropdown-divider"></div>
-                                        <a class="dropdown-item text-danger text-bold confirm-link" href="post.php?delete_tag=<?php echo $tag_id; ?>">
+                                        <a class="dropdown-item text-danger text-bold confirm-link" href="post.php?delete_tag=<?php echo $tag_id; ?>&csrf_token=<?= $_SESSION['csrf_token'] ?>">
                                             <i class="fas fa-fw fa-trash mr-2"></i>Delete
                                         </a>
                                     </div>
diff --git a/admin/ticket_template.php b/admin/ticket_template.php
index 44ba4c9d..85dae470 100644
--- a/admin/ticket_template.php
+++ b/admin/ticket_template.php
@@ -101,7 +101,7 @@ $num_rows = mysqli_fetch_row(mysqli_query($mysqli, "SELECT FOUND_ROWS()"));
                                     <i class="fas fa-ellipsis-h"></i>
                                 </button>
                                 <div class="dropdown-menu">
-                                    <a class="dropdown-item text-danger text-bold confirm-link" href="post.php?delete_ticket_template=<?= $ticket_template_id ?>">
+                                    <a class="dropdown-item text-danger text-bold confirm-link" href="post.php?delete_ticket_template=<?= $ticket_template_id ?>&csrf_token=<?= $_SESSION['csrf_token'] ?>">
                                         <i class="fas fa-fw fa-trash mr-2"></i>Delete
                                     </a>
                                 </div>
diff --git a/admin/ticket_template_details.php b/admin/ticket_template_details.php
index c036397f..84496dcb 100644
--- a/admin/ticket_template_details.php
+++ b/admin/ticket_template_details.php
@@ -86,6 +86,7 @@ $sql_task_templates = mysqli_query($mysqli, "SELECT * FROM task_templates WHERE
             </div>
             <div class="card-body">
                 <form action="post.php" method="post" autocomplete="off">
+                    <input type="hidden" name="csrf_token" value="<?= $_SESSION['csrf_token'] ?>">
                     <input type="hidden" name="ticket_template_id" value="<?php echo $ticket_template_id; ?>">
                     <div class="form-group">
                         <div class="input-group input-group-sm">
diff --git a/admin/vendor_template.php b/admin/vendor_template.php
index 168b3b12..2b5cdb64 100644
--- a/admin/vendor_template.php
+++ b/admin/vendor_template.php
@@ -140,7 +140,7 @@ $num_rows = mysqli_fetch_row(mysqli_query($mysqli, "SELECT FOUND_ROWS()"));
                                     </a>
                                     <?php if ($session_user_role == 3) { ?>
                                         <div class="dropdown-divider"></div>
-                                        <a class="dropdown-item text-danger text-bold confirm-link" href="post.php?delete_vendor_template=<?= $vendor_template_id ?>">
+                                        <a class="dropdown-item text-danger text-bold confirm-link" href="post.php?delete_vendor_template=<?= $vendor_template_id ?>&csrf_token=<?= $_SESSION['csrf_token'] ?>">
                                             <i class="fas fa-fw fa-trash mr-2"></i>Delete
                                         </a>
                                     <?php } ?>