Add missing CSRF Checks in admin area and settings

admin/post/category.php

@@ -8,6 +8,8 @@ defined('FROM_POST_HANDLER') || die("Direct file access is not allowed");
 
 if (isset($_POST['add_category'])) {
 
+    validateCSRFToken($_POST['csrf_token']);
+
     require_once 'category_model.php';
 
     mysqli_query($mysqli,"INSERT INTO categories SET category_name = '$name', category_type = '$type', category_color = '$color'");
@@ -24,6 +26,8 @@ if (isset($_POST['add_category'])) {
 
 if (isset($_POST['edit_category'])) {
 
+    validateCSRFToken($_POST['csrf_token']);
+
     require_once 'category_model.php';
 
     $category_id = intval($_POST['category_id']);
@@ -40,6 +44,8 @@ if (isset($_POST['edit_category'])) {
 
 if (isset($_GET['archive_category'])) {
 
+    validateCSRFToken($_GET['csrf_token']);
+
     $category_id = intval($_GET['archive_category']);
 
     // Get Category Name and Type for logging
@@ -58,9 +64,11 @@ if (isset($_GET['archive_category'])) {
 
 }
 
-if (isset($_GET['unarchive_category'])) {
+if (isset($_GET['restore_category'])) {
 
-    $category_id = intval($_GET['unarchive_category']);
+    validateCSRFToken($_GET['csrf_token']);
+
+    $category_id = intval($_GET['retore_category']);
 
     // Get Category Name and Type for logging
     $sql = mysqli_query($mysqli,"SELECT category_name, category_type FROM categories WHERE category_id = $category_id");
@@ -70,9 +78,9 @@ if (isset($_GET['unarchive_category'])) {
 
     mysqli_query($mysqli,"UPDATE categories SET category_archived_at = NULL WHERE category_id = $category_id");
 
-    logAction("Category", "Unarchive", "$session_name unarchived category $category_type $category_name", 0, $category_id);
+    logAction("Category", "Restore", "$session_name retored category $category_type $category_name", 0, $category_id);
 
-    flash_alert("Category $category_type <strong>$category_name</strong> unarchived");
+    flash_alert("Category $category_type <strong>$category_name</strong> restored");
 
     redirect();
 
@@ -80,6 +88,8 @@ if (isset($_GET['unarchive_category'])) {
 
 if (isset($_GET['delete_category'])) {
 
+    validateCSRFToken($_GET['csrf_token']);
+
     $category_id = intval($_GET['delete_category']);
 
     // Get Category Name and Type for logging

admin/post/custom_link.php

@@ -8,6 +8,8 @@ defined('FROM_POST_HANDLER') || die("Direct file access is not allowed");
 
 if (isset($_POST['add_custom_link'])) {
 
+    validateCSRFToken($_POST['csrf_token']);
+
     $name = sanitizeInput($_POST['name']);
     $uri = sanitizeInput($_POST['uri']);
     $new_tab = intval($_POST['new_tab'] ?? 0);
@@ -29,6 +31,8 @@ if (isset($_POST['add_custom_link'])) {
 
 if (isset($_POST['edit_custom_link'])) {
 
+    validateCSRFToken($_POST['csrf_token']);
+
     $custom_link_id = intval($_POST['custom_link_id']);
     $name = sanitizeInput($_POST['name']);
     $uri = sanitizeInput($_POST['uri']);
@@ -49,6 +53,8 @@ if (isset($_POST['edit_custom_link'])) {
 
 if (isset($_GET['delete_custom_link'])) {
 
+    validateCSRFToken($_GET['csrf_token']);
+
     $custom_link_id = intval($_GET['delete_custom_link']);
 
     // Get Custom Link name and uri for logging

admin/post/document_template.php

@@ -6,11 +6,13 @@ defined('FROM_POST_HANDLER') || die("Direct file access is not allowed");
 
 if (isset($_POST['add_document_template'])) {
 
+    validateCSRFToken($_POST['csrf_token']);
+
     $name = sanitizeInput($_POST['name']);
     $description = sanitizeInput($_POST['description']);
 
     mysqli_query($mysqli,"INSERT INTO document_templates SET document_template_name = '$name', document_template_description = '$description', document_template_content = '', document_template_created_by = $session_user_id");
-    
+
     $document_template_id = mysqli_insert_id($mysqli);
 
     $processed_content = mysqli_escape_string(
@@ -36,6 +38,8 @@ if (isset($_POST['add_document_template'])) {
 
 if (isset($_POST['edit_document_template'])) {
 
+    validateCSRFToken($_POST['csrf_token']);
+
     $document_template_id = intval($_POST['document_template_id']);
     $name = sanitizeInput($_POST['name']);
     $description = sanitizeInput($_POST['description']);
@@ -69,6 +73,8 @@ if (isset($_POST['edit_document_template'])) {
 
 if (isset($_GET['delete_document_template'])) {
 
+    validateCSRFToken($_GET['csrf_token']);
+
     $document_template_id = intval($_GET['delete_document_template']);
 
     $document_template_name = sanitizeInput(getFieldById('document_templates', $document_template_id, 'document_template_name'));

admin/post/mail_queue.php

@@ -4,6 +4,8 @@ defined('FROM_POST_HANDLER') || die("Direct file access is not allowed");
 
 if (isset($_GET['send_failed_mail'])) {
 
+    validateCSRFToken($_GET['csrf_token']);
+
     $email_id = intval($_GET['send_failed_mail']);
 
     mysqli_query($mysqli,"UPDATE email_queue SET email_status = 0, email_attempts = 3 WHERE email_id = $email_id");
@@ -18,6 +20,8 @@ if (isset($_GET['send_failed_mail'])) {
 
 if (isset($_GET['cancel_mail'])) {
 
+    validateCSRFToken($_GET['csrf_token']);
+
     $email_id = intval($_GET['cancel_mail']);
 
     mysqli_query($mysqli,"UPDATE email_queue SET email_status = 2, email_attempts = 99, email_failed_at = NOW() WHERE email_id = $email_id");

admin/post/payment_method.php

@@ -19,7 +19,7 @@ if (isset($_POST['add_payment_method'])) {
     );
 
     mysqli_stmt_bind_param($query, "ss", $name, $description);
-    
+
     mysqli_stmt_execute($query);
 
     logAction("Payment Method", "Create", "$session_name created Payment Method $name");
@@ -33,15 +33,15 @@ if (isset($_POST['add_payment_method'])) {
 if (isset($_POST['edit_payment_method'])) {
 
     validateCSRFToken($_POST['csrf_token']);
-    
+
     $payment_method_id = intval($_POST['payment_method_id']);
     $name = cleanInput($_POST['name']);
     $description = cleanInput($_POST['description']);
 
     $query = mysqli_prepare(
         $mysqli,
-        "UPDATE payment_methods 
-         SET payment_method_name = ?, payment_method_description = ? 
+        "UPDATE payment_methods
+         SET payment_method_name = ?, payment_method_description = ?
          WHERE payment_method_id = ?"
     );
 
@@ -58,7 +58,9 @@ if (isset($_POST['edit_payment_method'])) {
 }
 
 if (isset($_GET['delete_payment_method'])) {
-    
+
+    validateCSRFToken($_GET['csrf_token']);
+
     $payment_method_id = intval($_GET['delete_payment_method']);
 
     $payment_method_name = sanitizeInput(getFieldById('payment_methods', $payment_method_is, 'payment_method_name'));

admin/post/project_template.php

@@ -4,6 +4,8 @@ defined('FROM_POST_HANDLER') || die("Direct file access is not allowed");
 
 if (isset($_POST['add_project_template'])) {
 
+    validateCSRFToken($_POST['csrf_token']);
+
     $name = sanitizeInput($_POST['name']);
     $description = sanitizeInput($_POST['description']);
 
@@ -21,6 +23,8 @@ if (isset($_POST['add_project_template'])) {
 
 if (isset($_POST['edit_project_template'])) {
 
+    validateCSRFToken($_POST['csrf_token']);
+
     $project_template_id = intval($_POST['project_template_id']);
     $name = sanitizeInput($_POST['name']);
     $description = sanitizeInput($_POST['description']);
@@ -37,6 +41,8 @@ if (isset($_POST['edit_project_template'])) {
 
 if (isset($_POST['edit_ticket_template_order'])) {
 
+    validateCSRFToken($_POST['csrf_token']);
+
     $ticket_template_id = intval($_POST['ticket_template_id']);
     $project_template_id = intval($_POST['project_template_id']);
     $order = intval($_POST['order']);
@@ -49,6 +55,8 @@ if (isset($_POST['edit_ticket_template_order'])) {
 
 if (isset($_POST['add_ticket_template_to_project_template'])) {
 
+    validateCSRFToken($_POST['csrf_token']);
+
     $project_template_id = intval($_POST['project_template_id']);
     $ticket_template_id = intval($_POST['ticket_template_id']);
     $order = intval($_POST['order']);
@@ -65,7 +73,8 @@ if (isset($_POST['add_ticket_template_to_project_template'])) {
 
 if (isset($_POST['remove_ticket_template_from_project_template'])) {
 
-    validateTechRole();
+    validateCSRFToken($_POST['csrf_token']);
+
     $ticket_template_id = intval($_POST['ticket_template_id']);
     $project_template_id = intval($_POST['project_template_id']);
 
@@ -81,6 +90,8 @@ if (isset($_POST['remove_ticket_template_from_project_template'])) {
 
 if (isset($_GET['delete_project_template'])) {
 
+    validateCSRFToken($_GET['csrf_token']);
+
     $project_template_id = intval($_GET['delete_project_template']);
 
     $project_template_name = sanitizeInput(getFieldById('project_templates', $project_template_id, 'project_template_name'));
@@ -95,5 +106,5 @@ if (isset($_GET['delete_project_template'])) {
     flash_alert("Project Template <strong>$project_template_name</strong> and its associated ticket templates and tasks deleted", 'error');
 
     redirect();
-    
+
 }

admin/post/settings_company.php

@@ -54,6 +54,8 @@ if (isset($_POST['edit_company'])) {
 
 if (isset($_GET['remove_company_logo'])) {
 
+    validateCSRFToken($_GET['csrf_token']);
+
     $sql = mysqli_query($mysqli,"SELECT company_logo FROM companies");
     $row = mysqli_fetch_assoc($sql);
     $company_logo = $row['company_logo']; // FileSystem Operation Logo is already sanitized

admin/post/settings_module.php

@@ -4,6 +4,8 @@ defined('FROM_POST_HANDLER') || die("Direct file access is not allowed");
 
 if (isset($_POST['edit_module_settings'])) {
 
+    validateCSRFToken($_POST['csrf_token']);
+
     $config_module_enable_itdoc = intval($_POST['config_module_enable_itdoc'] ?? 0);
     $config_module_enable_ticketing = intval($_POST['config_module_enable_ticketing'] ?? 0);
     $config_module_enable_accounting = intval($_POST['config_module_enable_accounting'] ?? 0);

admin/post/settings_theme.php

@@ -52,6 +52,8 @@ if (isset($_POST['edit_favicon_settings'])) {
 
 if (isset($_GET['reset_favicon'])) {
 
+    validateCSRFToken($_GET['csrf_token']);
+
     if (file_exists("../uploads/favicon.ico")) {
         unlink("../uploads/favicon.ico");
     }

admin/post/settings_ticket.php

@@ -4,6 +4,8 @@ defined('FROM_POST_HANDLER') || die("Direct file access is not allowed");
 
 if (isset($_POST['edit_ticket_settings'])) {
 
+    validateCSRFToken($_POST['csrf_token']);
+
     $config_ticket_prefix = sanitizeInput($_POST['config_ticket_prefix']);
     $config_ticket_next_number = intval($_POST['config_ticket_next_number']);
     $config_ticket_email_parse = intval($_POST['config_ticket_email_parse'] ?? 0);
@@ -18,7 +20,7 @@ if (isset($_POST['edit_ticket_settings'])) {
     $config_ticket_moving_columns = intval($_POST['config_ticket_moving_columns']);
     $config_ticket_ordering = intval($_POST['config_ticket_ordering']);
     $config_ticket_timer_autostart = intval($_POST['config_ticket_timer_autostart']);
-    
+
     mysqli_query($mysqli,"UPDATE settings SET config_ticket_prefix = '$config_ticket_prefix', config_ticket_next_number = $config_ticket_next_number, config_ticket_email_parse = $config_ticket_email_parse, config_ticket_email_parse_unknown_senders = $config_ticket_email_parse_unknown_senders, config_ticket_autoclose_hours = $config_ticket_autoclose_hours, config_ticket_new_ticket_notification_email = '$config_ticket_new_ticket_notification_email', config_ticket_default_billable = $config_ticket_default_billable, config_ticket_default_view = $config_ticket_default_view, config_ticket_moving_columns = $config_ticket_moving_columns, config_ticket_ordering = $config_ticket_ordering, config_ticket_timer_autostart = $config_ticket_timer_autostart WHERE company_id = 1");
 
     logAction("Settings", "Edit", "$session_name edited ticket settings");

admin/post/software_template.php

@@ -6,6 +6,8 @@ defined('FROM_POST_HANDLER') || die("Direct file access is not allowed");
 
 if (isset($_POST['add_software_template'])) {
 
+    validateCSRFToken($_POST['csrf_token']);
+
     $name = sanitizeInput($_POST['name']);
     $version = sanitizeInput($_POST['version']);
     $description = sanitizeInput($_POST['description']);
@@ -27,6 +29,8 @@ if (isset($_POST['add_software_template'])) {
 
 if (isset($_POST['edit_software_template'])) {
 
+    validateCSRFToken($_POST['csrf_token']);
+
     $software_template_id = intval($_POST['software_template_id']);
     $name = sanitizeInput($_POST['name']);
     $version = sanitizeInput($_POST['version']);
@@ -47,6 +51,8 @@ if (isset($_POST['edit_software_template'])) {
 
 if (isset($_GET['delete_software_template'])) {
 
+    validateCSRFToken($_GET['csrf_token']);
+
     $software_template_id = intval($_GET['delete_software_template']);
 
     // Get Software Template Name for logging and alert message

admin/post/tag.php

@@ -8,6 +8,8 @@ defined('FROM_POST_HANDLER') || die("Direct file access is not allowed");
 
 if (isset($_POST['add_tag'])) {
 
+    validateCSRFToken($_POST['csrf_token']);
+
     require_once 'tag_model.php';
 
     mysqli_query($mysqli,"INSERT INTO tags SET tag_name = '$name', tag_type = $type, tag_color = '$color', tag_icon = '$icon'");
@@ -24,6 +26,8 @@ if (isset($_POST['add_tag'])) {
 
 if (isset($_POST['edit_tag'])) {
 
+    validateCSRFToken($_POST['csrf_token']);
+
     require_once 'post/tag_model.php';
 
     $tag_id = intval($_POST['tag_id']);
@@ -39,9 +43,11 @@ if (isset($_POST['edit_tag'])) {
 }
 
 if (isset($_GET['delete_tag'])) {
-    
+
+    validateCSRFToken($_GET['csrf_token']);
+
     $tag_id = intval($_GET['delete_tag']);
-    
+
     $tag_name = sanitizeInput(getFieldById('tags', $tag_id, 'tag_name'));
 
     mysqli_query($mysqli,"DELETE FROM tags WHERE tag_id = $tag_id");

admin/post/tax.php

@@ -9,6 +9,7 @@ defined('FROM_POST_HANDLER') || die("Direct file access is not allowed");
 if (isset($_POST['add_tax'])) {
 
     validateCSRFToken($_POST['csrf_token']);
+
     $name = sanitizeInput($_POST['name']);
     $percent = floatval($_POST['percent']);
 
@@ -27,6 +28,7 @@ if (isset($_POST['add_tax'])) {
 if (isset($_POST['edit_tax'])) {
 
     validateCSRFToken($_POST['csrf_token']);
+
     $tax_id = intval($_POST['tax_id']);
     $name = sanitizeInput($_POST['name']);
     $percent = floatval($_POST['percent']);
@@ -42,8 +44,9 @@ if (isset($_POST['edit_tax'])) {
 }
 
 if (isset($_GET['archive_tax'])) {
-    
+
     validateCSRFToken($_GET['csrf_token']);
+
     $tax_id = intval($_GET['archive_tax']);
 
     $tax_name = sanitizeInput(getFieldById('taxes', $tax_id, 'tax_name'));
@@ -59,7 +62,9 @@ if (isset($_GET['archive_tax'])) {
 }
 
 if (isset($_GET['delete_tax'])) {
-    
+
+    validateCSRFToken($_GET['csrf_token']);
+
     $tax_id = intval($_GET['delete_tax']);
 
     $tax_name = sanitizeInput(getFieldById('taxes', $tax_id, 'tax_name'));

admin/post/ticket_status.php

@@ -4,6 +4,8 @@ defined('FROM_POST_HANDLER') || die("Direct file access is not allowed");
 
 if (isset($_POST['add_ticket_status'])) {
 
+    validateCSRFToken($_POST['csrf_token']);
+
     $name = sanitizeInput($_POST['name']);
     $color = sanitizeInput($_POST['color']);
 
@@ -21,6 +23,8 @@ if (isset($_POST['add_ticket_status'])) {
 
 if (isset($_POST['edit_ticket_status'])) {
 
+    validateCSRFToken($_POST['csrf_token']);
+
     $ticket_status_id = intval($_POST['ticket_status_id']);
     $name = sanitizeInput($_POST['name']);
     $color = sanitizeInput($_POST['color']);

admin/post/ticket_template.php

@@ -10,6 +10,8 @@ require_once '../agent/post/task.php';
 
 if (isset($_POST['add_ticket_template'])) {
 
+    validateCSRFToken($_POST['csrf_token']);
+
     $name = sanitizeInput($_POST['name']);
     $description = sanitizeInput($_POST['description']);
     $subject = sanitizeInput($_POST['subject']);
@@ -34,6 +36,8 @@ if (isset($_POST['add_ticket_template'])) {
 
 if (isset($_POST['edit_ticket_template'])) {
 
+    validateCSRFToken($_POST['csrf_token']);
+
     $ticket_template_id = intval($_POST['ticket_template_id']);
     $name = sanitizeInput($_POST['name']);
     $description = sanitizeInput($_POST['description']);
@@ -52,6 +56,8 @@ if (isset($_POST['edit_ticket_template'])) {
 
 if (isset($_GET['delete_ticket_template'])) {
 
+    validateCSRFToken($_GET['csrf_token']);
+
     $ticket_template_id = intval($_GET['delete_ticket_template']);
 
     $ticket_template_name = sanitizeInput(getFieldById('ticket_templates', $ticket_template_id, 'ticket_template_name'));
@@ -72,6 +78,8 @@ if (isset($_GET['delete_ticket_template'])) {
 
 if (isset($_POST['add_ticket_template_task'])) {
 
+    validateCSRFToken($_POST['csrf_token']);
+
     $ticket_template_id = intval($_POST['ticket_template_id']);
     $task_name = sanitizeInput($_POST['task_name']);
 
@@ -89,6 +97,8 @@ if (isset($_POST['add_ticket_template_task'])) {
 
 if (isset($_GET['delete_task_template'])) {
 
+    validateCSRFToken($_GET['csrf_token']);
+
     $task_template_id = intval($_GET['delete_task_template']);
 
     $task_template_name = sanitizeInput(getFieldById('tags', $task_template_id, 'task_template_name'));
@@ -100,5 +110,5 @@ if (isset($_GET['delete_task_template'])) {
     flash_alert("Task <strong>$task_template_name</strong> deleted", 'error');
 
     redirect();
-    
+
 }

admin/post/vendor_template.php

@@ -9,6 +9,8 @@ require_once '../agent/post/vendor.php';
 
 if (isset($_POST['add_vendor_template'])) {
 
+    validateCSRFToken($_POST['csrf_token']);
+
     $name = sanitizeInput($_POST['name']);
     $description = sanitizeInput($_POST['description']);
     $account_number = sanitizeInput($_POST['account_number']);
@@ -37,6 +39,8 @@ if (isset($_POST['add_vendor_template'])) {
 
 if (isset($_POST['edit_vendor_template'])) {
 
+    validateCSRFToken($_POST['csrf_token']);
+
     $vendor_template_id = intval($_POST['vendor_template_id']);
     $name = sanitizeInput($_POST['name']);
     $description = sanitizeInput($_POST['description']);
@@ -140,7 +144,9 @@ if (isset($_POST['edit_vendor_template'])) {
 }
 
 if (isset($_GET['delete_vendor_template'])) {
-    
+
+    validateCSRFToken($_GET['csrf_token']);
+
     $vendor_template_id = intval($_GET['delete_vendor_template']);
 
     $vendor_template_name = sanitizeInput(getFieldById('vendor_templates', $vendor_template_id, 'vendor_template_name'));