Add missing CSRF Checks in admin area and settings

2026-03-13 17:24:51 +00:00 · 2026-03-02 22:15:36 -05:00
parent 6da8821f2c
commit 918b40afbe
48 changed files with 160 additions and 45 deletions
--- a/admin/category.php
+++ b/admin/category.php
@@ -135,11 +135,11 @@ $num_rows = mysqli_fetch_row(mysqli_query($mysqli, "SELECT FOUND_ROWS()"));
                                        if ($archived) {
                                            ?>
                                            <a class="dropdown-item text-success confirm-link"
-                                                href="post.php?unarchive_category=<?php echo $category_id; ?>">
+                                                href="post.php?restore_category=<?php echo $category_id; ?>&csrf_token=<?= $_SESSION['csrf_token'] ?>">
-                                                <i class="fas fa-fw fa-archive mr-2"></i>Unarchive
+                                                <i class="fas fa-fw fa-archive mr-2"></i>Restore
                                            </a>
                                            <a class="dropdown-item text-danger confirm-link"
-                                                href="post.php?delete_category=<?php echo $category_id; ?>">
+                                                href="post.php?delete_category=<?php echo $category_id; ?>&csrf_token=<?= $_SESSION['csrf_token'] ?>">
                                                <i class="fas fa-fw fa-trash mr-2"></i>Delete
                                            </a>
                                            <?php
@@ -150,7 +150,7 @@ $num_rows = mysqli_fetch_row(mysqli_query($mysqli, "SELECT FOUND_ROWS()"));
                                                <i class="fas fa-fw fa-edit mr-2"></i>Edit
                                            </a>
                                            <a class="dropdown-item text-danger confirm-link"
-                                                href="post.php?archive_category=<?php echo $category_id; ?>">
+                                                href="post.php?archive_category=<?php echo $category_id; ?>&csrf_token=<?= $_SESSION['csrf_token'] ?>">
                                                <i class="fas fa-fw fa-archive mr-2"></i>Archive
                                            </a>
                                            <?php
--- a/admin/custom_link.php
+++ b/admin/custom_link.php
@@ -123,7 +123,7 @@ $num_rows = mysqli_fetch_row(mysqli_query($mysqli, "SELECT FOUND_ROWS()"));
                                            <i class="fas fa-fw fa-edit mr-2"></i>Edit
                                        </a>
                                        <div class="dropdown-divider"></div>
-                                        <a class="dropdown-item text-danger text-bold confirm-link" href="post.php?delete_custom_link=<?php echo $custom_link_id; ?>">
+                                        <a class="dropdown-item text-danger text-bold confirm-link" href="post.php?delete_custom_link=<?php echo $custom_link_id; ?>&csrf_token=<?= $_SESSION['csrf_token'] ?>">
                                            <i class="fas fa-fw fa-trash mr-2"></i>Delete
                                        </a>
                                    </div>
--- a/admin/document_template.php
+++ b/admin/document_template.php
@@ -99,7 +99,7 @@
                                        <i class="fas fa-fw fa-edit mr-2"></i>Edit
                                    </a>
                                    <div class="dropdown-divider"></div>
-                                    <a class="dropdown-item text-danger text-bold" href="post.php?delete_document_template=<?php echo $document_template_id; ?>">
+                                    <a class="dropdown-item text-danger text-bold" href="post.php?delete_document_template=<?php echo $document_template_id; ?>&csrf_token=<?= $_SESSION['csrf_token'] ?>">
                                        <i class="fas fa-fw fa-trash mr-2"></i>Delete
                                    </a>
                                </div>
--- a/admin/mail_queue.php
+++ b/admin/mail_queue.php
@@ -163,12 +163,12 @@ $num_rows = mysqli_fetch_row(mysqli_query($mysqli, "SELECT FOUND_ROWS()"));
                                    <!-- Show force resend if all retries have failed -->
                                    <?php if ($email_status == 2 && $email_attempts > 3) { ?>
-                                        <a class="btn btn-sm btn-success" href="post.php?send_failed_mail=<?php echo $email_id; ?>"><i class="fas fa-fw fa-paper-plane"></i></a>
+                                        <a class="btn btn-sm btn-success" href="post.php?send_failed_mail=<?php echo $email_id; ?>&csrf_token=<?= $_SESSION['csrf_token'] ?>"><i class="fas fa-fw fa-paper-plane"></i></a>
                                    <?php } ?>
                                    <!-- Allow cancelling a message if it hasn't yet been picked up (e.g. stuck/bugged) -->
                                    <?php if ($email_status !== 3) { ?>
-                                        <a class="btn btn-sm btn-danger confirm-link" href="post.php?cancel_mail=<?php echo $email_id; ?>"><i class="fas fa-fw fa-trash"></i></a>
+                                        <a class="btn btn-sm btn-danger confirm-link" href="post.php?cancel_mail=<?php echo $email_id; ?>&csrf_token=<?= $_SESSION['csrf_token'] ?>"><i class="fas fa-fw fa-trash"></i></a>
                                    <?php } ?>
                                </td>
--- a/admin/modals/custom_link/custom_link_add.php
+++ b/admin/modals/custom_link/custom_link_add.php
@@ -13,6 +13,7 @@ ob_start();
    </button>
 </div>
 <form action="post.php" method="post" autocomplete="off">
    <input type="hidden" name="csrf_token" value="<?php echo $_SESSION['csrf_token'] ?>">
    <div class="modal-body">
--- a/admin/modals/custom_link/custom_link_edit.php
+++ b/admin/modals/custom_link/custom_link_edit.php
@@ -24,7 +24,7 @@ ob_start();
    </button>
 </div>
 <form action="post.php" method="post" autocomplete="off">
-
+    <input type="hidden" name="csrf_token" value="<?php echo $_SESSION['csrf_token'] ?>">
    <input type="hidden" name="custom_link_id" value="<?php echo $custom_link_id; ?>">
    <div class="modal-body">
--- a/admin/modals/document_template/document_template_add.php
+++ b/admin/modals/document_template/document_template_add.php
@@ -13,6 +13,8 @@ ob_start();
    </button>
 </div>
 <form action="post.php" method="post" autocomplete="off">
    <input type="hidden" name="csrf_token" value="<?= $_SESSION['csrf_token'] ?>">
    <div class="modal-body">
        <div class="form-group">
--- a/admin/modals/document_template/document_template_edit.php
+++ b/admin/modals/document_template/document_template_edit.php
@@ -21,7 +21,9 @@ ob_start();
    </button>
 </div>
 <form action="post.php" method="post" autocomplete="off">
    <input type="hidden" name="csrf_token" value="<?= $_SESSION['csrf_token'] ?>">
    <input type="hidden" name="document_template_id" value="<?php echo $document_template_id; ?>">
    <div class="modal-body">
        <div class="form-group">
--- a/admin/modals/project_template/project_template_add.php
+++ b/admin/modals/project_template/project_template_add.php
@@ -12,6 +12,7 @@ ob_start();
    </button>
 </div>
 <form action="post.php" method="post" autocomplete="off">
    <input type="hidden" name="csrf_token" value="<?= $_SESSION['csrf_token'] ?>">
    <div class="modal-body">
        <div class="form-group">
--- a/admin/modals/project_template/project_template_edit.php
+++ b/admin/modals/project_template/project_template_edit.php
@@ -20,6 +20,7 @@ ob_start();
    </button>
 </div>
 <form action="post.php" method="post" autocomplete="off">
    <input type="hidden" name="csrf_token" value="<?= $_SESSION['csrf_token'] ?>">
    <input type="hidden" name="project_template_id" value="<?php echo $project_template_id; ?>">
    <div class="modal-body">
--- a/admin/modals/project_template/project_template_ticket_template_add.php
+++ b/admin/modals/project_template/project_template_ticket_template_add.php
@@ -15,7 +15,9 @@ ob_start();
    </button>
 </div>
 <form action="post.php" method="post" autocomplete="off">
    <input type="hidden" name="csrf_token" value="<?= $_SESSION['csrf_token'] ?>">
    <input type="hidden" name="project_template_id" value="<?php echo $project_template_id; ?>">
    <div class="modal-body">
        <div class="form-group">
--- a/admin/modals/software_template/software_template_add.php
+++ b/admin/modals/software_template/software_template_add.php
@@ -13,6 +13,8 @@ ob_start();
    </button>
 </div>
 <form action="post.php" method="post" autocomplete="off">
    <input type="hidden" name="csrf_token" value="<?= $_SESSION['csrf_token'] ?>">
    <div class="modal-body">
        <div class="form-group">
--- a/admin/modals/software_template/software_template_edit.php
+++ b/admin/modals/software_template/software_template_edit.php
@@ -24,7 +24,9 @@ ob_start();
    </button>
 </div>
 <form action="post.php" method="post" autocomplete="off">
    <input type="hidden" name="csrf_token" value="<?= $_SESSION['csrf_token'] ?>">
    <input type="hidden" name="software_template_id" value="<?php echo $software_template_id; ?>">
    <div class="modal-body">
        <div class="form-group">
--- a/admin/modals/tag/tag_add.php
+++ b/admin/modals/tag/tag_add.php
@@ -30,7 +30,9 @@ ob_start();
    </button>
 </div>
 <form action="post.php" method="post" autocomplete="off">
    <input type="hidden" name="csrf_token" value="<?php echo $_SESSION['csrf_token'] ?>">
    <input type="hidden" name="type" value="<?php echo $type; ?>">
    <div class="modal-body">
        <div class="form-group">
            <label>Name <strong class="text-danger">*</strong></label>
--- a/admin/modals/tag/tag_edit.php
+++ b/admin/modals/tag/tag_edit.php
@@ -35,7 +35,9 @@ ob_start();
    </button>
 </div>
 <form action="post.php" method="post" autocomplete="off">
    <input type="hidden" name="csrf_token" value="<?php echo $_SESSION['csrf_token'] ?>">
    <input type="hidden" name="tag_id" value="<?php echo $tag_id; ?>">
    <div class="modal-body">
        <div class="form-group">
--- a/admin/modals/ticket_status/ticket_status_add.php
+++ b/admin/modals/ticket_status/ticket_status_add.php
@@ -10,6 +10,7 @@ ob_start();
    </button>
 </div>
 <form action="post.php" method="post" autocomplete="off">
    <input type="hidden" name="csrf_token" value="<?php echo $_SESSION['csrf_token'] ?>">
    <div class="modal-body">
        <div class="form-group">
--- a/admin/modals/ticket_status/ticket_status_edit.php
+++ b/admin/modals/ticket_status/ticket_status_edit.php
@@ -22,7 +22,9 @@ ob_start();
    </button>
 </div>
 <form action="post.php" method="post" autocomplete="off">
    <input type="hidden" name="csrf_token" value="<?php echo $_SESSION['csrf_token'] ?>">
    <input type="hidden" name="ticket_status_id" value="<?php echo $ticket_status_id; ?>">
    <div class="modal-body">
        <div class="form-group">
--- a/admin/modals/ticket_template/ticket_template_add.php
+++ b/admin/modals/ticket_template/ticket_template_add.php
@@ -12,6 +12,8 @@ ob_start();
    </button>
 </div>
 <form action="post.php" method="post" autocomplete="off">
    <input type="hidden" name="csrf_token" value="<?= $_SESSION['csrf_token'] ?>">
    <div class="modal-body">
        <div class="form-group">
--- a/admin/modals/ticket_template/ticket_template_edit.php
+++ b/admin/modals/ticket_template/ticket_template_edit.php
@@ -9,7 +9,9 @@
                </button>
            </div>
            <form action="post.php" method="post" autocomplete="off">
                <input type="hidden" name="csrf_token" value="<?= $_SESSION['csrf_token'] ?>">
                <input type="hidden" name="ticket_template_id" value="<?php echo $ticket_template_id; ?>">
                <div class="modal-body">
                    <div class="form-group">
--- a/admin/modals/ticket_template/ticket_template_task_edit.php
+++ b/admin/modals/ticket_template/ticket_template_task_edit.php
@@ -24,6 +24,7 @@ ob_start();
    </button>
 </div>
 <form action="post.php" method="post" autocomplete="off">
    <input type="hidden" name="csrf_token" value="<?= $_SESSION['csrf_token'] ?>">
    <input type="hidden" name="task_template_id" value="<?php echo $task_template_id; ?>">
    <div class="modal-body">
--- a/admin/modals/vendor_template/vendor_template_add.php
+++ b/admin/modals/vendor_template/vendor_template_add.php
@@ -13,6 +13,7 @@ ob_start();
    </button>
 </div>
 <form action="post.php" method="post" autocomplete="off">
    <input type="hidden" name="csrf_token" value="<?= $_SESSION['csrf_token'] ?>">
    <div class="modal-body">
--- a/admin/modals/vendor_template/vendor_template_edit.php
+++ b/admin/modals/vendor_template/vendor_template_edit.php
@@ -31,7 +31,9 @@ ob_start();
    </button>
 </div>
 <form action="post.php" method="post" autocomplete="off">
    <input type="hidden" name="csrf_token" value="<?= $_SESSION['csrf_token'] ?>">
    <input type="hidden" name="vendor_template_id" value="<?php echo $vendor_template_id; ?>">
    <div class="modal-body">
        <ul class="nav nav-pills nav-justified mb-3">
--- a/admin/post/category.php
+++ b/admin/post/category.php
@@ -8,6 +8,8 @@ defined('FROM_POST_HANDLER') || die("Direct file access is not allowed");
 if (isset($_POST['add_category'])) {
    validateCSRFToken($_POST['csrf_token']);
    require_once 'category_model.php';
    mysqli_query($mysqli,"INSERT INTO categories SET category_name = '$name', category_type = '$type', category_color = '$color'");
@@ -24,6 +26,8 @@ if (isset($_POST['add_category'])) {
 if (isset($_POST['edit_category'])) {
    validateCSRFToken($_POST['csrf_token']);
    require_once 'category_model.php';
    $category_id = intval($_POST['category_id']);
@@ -40,6 +44,8 @@ if (isset($_POST['edit_category'])) {
 if (isset($_GET['archive_category'])) {
    validateCSRFToken($_GET['csrf_token']);
    $category_id = intval($_GET['archive_category']);
    // Get Category Name and Type for logging
@@ -58,9 +64,11 @@ if (isset($_GET['archive_category'])) {
 }
-if (isset($_GET['unarchive_category'])) {
+if (isset($_GET['restore_category'])) {
-    $category_id = intval($_GET['unarchive_category']);
+    validateCSRFToken($_GET['csrf_token']);
    $category_id = intval($_GET['retore_category']);
    // Get Category Name and Type for logging
    $sql = mysqli_query($mysqli,"SELECT category_name, category_type FROM categories WHERE category_id = $category_id");
@@ -70,9 +78,9 @@ if (isset($_GET['unarchive_category'])) {
    mysqli_query($mysqli,"UPDATE categories SET category_archived_at = NULL WHERE category_id = $category_id");
-    logAction("Category", "Unarchive", "$session_name unarchived category $category_type $category_name", 0, $category_id);
+    logAction("Category", "Restore", "$session_name retored category $category_type $category_name", 0, $category_id);
-    flash_alert("Category $category_type <strong>$category_name</strong> unarchived");
+    flash_alert("Category $category_type <strong>$category_name</strong> restored");
    redirect();
@@ -80,6 +88,8 @@ if (isset($_GET['unarchive_category'])) {
 if (isset($_GET['delete_category'])) {
    validateCSRFToken($_GET['csrf_token']);
    $category_id = intval($_GET['delete_category']);
    // Get Category Name and Type for logging
--- a/admin/post/custom_link.php
+++ b/admin/post/custom_link.php
@@ -8,6 +8,8 @@ defined('FROM_POST_HANDLER') || die("Direct file access is not allowed");
 if (isset($_POST['add_custom_link'])) {
    validateCSRFToken($_POST['csrf_token']);
    $name = sanitizeInput($_POST['name']);
    $uri = sanitizeInput($_POST['uri']);
    $new_tab = intval($_POST['new_tab'] ?? 0);
@@ -29,6 +31,8 @@ if (isset($_POST['add_custom_link'])) {
 if (isset($_POST['edit_custom_link'])) {
    validateCSRFToken($_POST['csrf_token']);
    $custom_link_id = intval($_POST['custom_link_id']);
    $name = sanitizeInput($_POST['name']);
    $uri = sanitizeInput($_POST['uri']);
@@ -49,6 +53,8 @@ if (isset($_POST['edit_custom_link'])) {
 if (isset($_GET['delete_custom_link'])) {
    validateCSRFToken($_GET['csrf_token']);
    $custom_link_id = intval($_GET['delete_custom_link']);
    // Get Custom Link name and uri for logging
--- a/admin/post/document_template.php
+++ b/admin/post/document_template.php
@@ -6,6 +6,8 @@ defined('FROM_POST_HANDLER') || die("Direct file access is not allowed");
 if (isset($_POST['add_document_template'])) {
    validateCSRFToken($_POST['csrf_token']);
    $name = sanitizeInput($_POST['name']);
    $description = sanitizeInput($_POST['description']);
@@ -36,6 +38,8 @@ if (isset($_POST['add_document_template'])) {
 if (isset($_POST['edit_document_template'])) {
    validateCSRFToken($_POST['csrf_token']);
    $document_template_id = intval($_POST['document_template_id']);
    $name = sanitizeInput($_POST['name']);
    $description = sanitizeInput($_POST['description']);
@@ -69,6 +73,8 @@ if (isset($_POST['edit_document_template'])) {
 if (isset($_GET['delete_document_template'])) {
    validateCSRFToken($_GET['csrf_token']);
    $document_template_id = intval($_GET['delete_document_template']);
    $document_template_name = sanitizeInput(getFieldById('document_templates', $document_template_id, 'document_template_name'));
--- a/admin/post/mail_queue.php
+++ b/admin/post/mail_queue.php
@@ -4,6 +4,8 @@ defined('FROM_POST_HANDLER') || die("Direct file access is not allowed");
 if (isset($_GET['send_failed_mail'])) {
    validateCSRFToken($_GET['csrf_token']);
    $email_id = intval($_GET['send_failed_mail']);
    mysqli_query($mysqli,"UPDATE email_queue SET email_status = 0, email_attempts = 3 WHERE email_id = $email_id");
@@ -18,6 +20,8 @@ if (isset($_GET['send_failed_mail'])) {
 if (isset($_GET['cancel_mail'])) {
    validateCSRFToken($_GET['csrf_token']);
    $email_id = intval($_GET['cancel_mail']);
    mysqli_query($mysqli,"UPDATE email_queue SET email_status = 2, email_attempts = 99, email_failed_at = NOW() WHERE email_id = $email_id");
--- a/admin/post/payment_method.php
+++ b/admin/post/payment_method.php
@@ -59,6 +59,8 @@ if (isset($_POST['edit_payment_method'])) {
 if (isset($_GET['delete_payment_method'])) {
    validateCSRFToken($_GET['csrf_token']);
    $payment_method_id = intval($_GET['delete_payment_method']);
    $payment_method_name = sanitizeInput(getFieldById('payment_methods', $payment_method_is, 'payment_method_name'));
--- a/admin/post/project_template.php
+++ b/admin/post/project_template.php
@@ -4,6 +4,8 @@ defined('FROM_POST_HANDLER') || die("Direct file access is not allowed");
 if (isset($_POST['add_project_template'])) {
    validateCSRFToken($_POST['csrf_token']);
    $name = sanitizeInput($_POST['name']);
    $description = sanitizeInput($_POST['description']);
@@ -21,6 +23,8 @@ if (isset($_POST['add_project_template'])) {
 if (isset($_POST['edit_project_template'])) {
    validateCSRFToken($_POST['csrf_token']);
    $project_template_id = intval($_POST['project_template_id']);
    $name = sanitizeInput($_POST['name']);
    $description = sanitizeInput($_POST['description']);
@@ -37,6 +41,8 @@ if (isset($_POST['edit_project_template'])) {
 if (isset($_POST['edit_ticket_template_order'])) {
    validateCSRFToken($_POST['csrf_token']);
    $ticket_template_id = intval($_POST['ticket_template_id']);
    $project_template_id = intval($_POST['project_template_id']);
    $order = intval($_POST['order']);
@@ -49,6 +55,8 @@ if (isset($_POST['edit_ticket_template_order'])) {
 if (isset($_POST['add_ticket_template_to_project_template'])) {
    validateCSRFToken($_POST['csrf_token']);
    $project_template_id = intval($_POST['project_template_id']);
    $ticket_template_id = intval($_POST['ticket_template_id']);
    $order = intval($_POST['order']);
@@ -65,7 +73,8 @@ if (isset($_POST['add_ticket_template_to_project_template'])) {
 if (isset($_POST['remove_ticket_template_from_project_template'])) {
-    validateTechRole();
+    validateCSRFToken($_POST['csrf_token']);
    $ticket_template_id = intval($_POST['ticket_template_id']);
    $project_template_id = intval($_POST['project_template_id']);
@@ -81,6 +90,8 @@ if (isset($_POST['remove_ticket_template_from_project_template'])) {
 if (isset($_GET['delete_project_template'])) {
    validateCSRFToken($_GET['csrf_token']);
    $project_template_id = intval($_GET['delete_project_template']);
    $project_template_name = sanitizeInput(getFieldById('project_templates', $project_template_id, 'project_template_name'));
--- a/admin/post/settings_company.php
+++ b/admin/post/settings_company.php
@@ -54,6 +54,8 @@ if (isset($_POST['edit_company'])) {
 if (isset($_GET['remove_company_logo'])) {
    validateCSRFToken($_GET['csrf_token']);
    $sql = mysqli_query($mysqli,"SELECT company_logo FROM companies");
    $row = mysqli_fetch_assoc($sql);
    $company_logo = $row['company_logo']; // FileSystem Operation Logo is already sanitized
--- a/admin/post/settings_module.php
+++ b/admin/post/settings_module.php
@@ -4,6 +4,8 @@ defined('FROM_POST_HANDLER') || die("Direct file access is not allowed");
 if (isset($_POST['edit_module_settings'])) {
    validateCSRFToken($_POST['csrf_token']);
    $config_module_enable_itdoc = intval($_POST['config_module_enable_itdoc'] ?? 0);
    $config_module_enable_ticketing = intval($_POST['config_module_enable_ticketing'] ?? 0);
    $config_module_enable_accounting = intval($_POST['config_module_enable_accounting'] ?? 0);
--- a/admin/post/settings_theme.php
+++ b/admin/post/settings_theme.php
@@ -52,6 +52,8 @@ if (isset($_POST['edit_favicon_settings'])) {
 if (isset($_GET['reset_favicon'])) {
    validateCSRFToken($_GET['csrf_token']);
    if (file_exists("../uploads/favicon.ico")) {
        unlink("../uploads/favicon.ico");
    }
--- a/admin/post/settings_ticket.php
+++ b/admin/post/settings_ticket.php
@@ -4,6 +4,8 @@ defined('FROM_POST_HANDLER') || die("Direct file access is not allowed");
 if (isset($_POST['edit_ticket_settings'])) {
    validateCSRFToken($_POST['csrf_token']);
    $config_ticket_prefix = sanitizeInput($_POST['config_ticket_prefix']);
    $config_ticket_next_number = intval($_POST['config_ticket_next_number']);
    $config_ticket_email_parse = intval($_POST['config_ticket_email_parse'] ?? 0);
--- a/admin/post/software_template.php
+++ b/admin/post/software_template.php
@@ -6,6 +6,8 @@ defined('FROM_POST_HANDLER') || die("Direct file access is not allowed");
 if (isset($_POST['add_software_template'])) {
    validateCSRFToken($_POST['csrf_token']);
    $name = sanitizeInput($_POST['name']);
    $version = sanitizeInput($_POST['version']);
    $description = sanitizeInput($_POST['description']);
@@ -27,6 +29,8 @@ if (isset($_POST['add_software_template'])) {
 if (isset($_POST['edit_software_template'])) {
    validateCSRFToken($_POST['csrf_token']);
    $software_template_id = intval($_POST['software_template_id']);
    $name = sanitizeInput($_POST['name']);
    $version = sanitizeInput($_POST['version']);
@@ -47,6 +51,8 @@ if (isset($_POST['edit_software_template'])) {
 if (isset($_GET['delete_software_template'])) {
    validateCSRFToken($_GET['csrf_token']);
    $software_template_id = intval($_GET['delete_software_template']);
    // Get Software Template Name for logging and alert message
--- a/admin/post/tag.php
+++ b/admin/post/tag.php
@@ -8,6 +8,8 @@ defined('FROM_POST_HANDLER') || die("Direct file access is not allowed");
 if (isset($_POST['add_tag'])) {
    validateCSRFToken($_POST['csrf_token']);
    require_once 'tag_model.php';
    mysqli_query($mysqli,"INSERT INTO tags SET tag_name = '$name', tag_type = $type, tag_color = '$color', tag_icon = '$icon'");
@@ -24,6 +26,8 @@ if (isset($_POST['add_tag'])) {
 if (isset($_POST['edit_tag'])) {
    validateCSRFToken($_POST['csrf_token']);
    require_once 'post/tag_model.php';
    $tag_id = intval($_POST['tag_id']);
@@ -40,6 +44,8 @@ if (isset($_POST['edit_tag'])) {
 if (isset($_GET['delete_tag'])) {
    validateCSRFToken($_GET['csrf_token']);
    $tag_id = intval($_GET['delete_tag']);
    $tag_name = sanitizeInput(getFieldById('tags', $tag_id, 'tag_name'));
--- a/admin/post/tax.php
+++ b/admin/post/tax.php
@@ -9,6 +9,7 @@ defined('FROM_POST_HANDLER') || die("Direct file access is not allowed");
 if (isset($_POST['add_tax'])) {
    validateCSRFToken($_POST['csrf_token']);
    $name = sanitizeInput($_POST['name']);
    $percent = floatval($_POST['percent']);
@@ -27,6 +28,7 @@ if (isset($_POST['add_tax'])) {
 if (isset($_POST['edit_tax'])) {
    validateCSRFToken($_POST['csrf_token']);
    $tax_id = intval($_POST['tax_id']);
    $name = sanitizeInput($_POST['name']);
    $percent = floatval($_POST['percent']);
@@ -44,6 +46,7 @@ if (isset($_POST['edit_tax'])) {
 if (isset($_GET['archive_tax'])) {
    validateCSRFToken($_GET['csrf_token']);
    $tax_id = intval($_GET['archive_tax']);
    $tax_name = sanitizeInput(getFieldById('taxes', $tax_id, 'tax_name'));
@@ -60,6 +63,8 @@ if (isset($_GET['archive_tax'])) {
 if (isset($_GET['delete_tax'])) {
    validateCSRFToken($_GET['csrf_token']);
    $tax_id = intval($_GET['delete_tax']);
    $tax_name = sanitizeInput(getFieldById('taxes', $tax_id, 'tax_name'));
--- a/admin/post/ticket_status.php
+++ b/admin/post/ticket_status.php
@@ -4,6 +4,8 @@ defined('FROM_POST_HANDLER') || die("Direct file access is not allowed");
 if (isset($_POST['add_ticket_status'])) {
    validateCSRFToken($_POST['csrf_token']);
    $name = sanitizeInput($_POST['name']);
    $color = sanitizeInput($_POST['color']);
@@ -21,6 +23,8 @@ if (isset($_POST['add_ticket_status'])) {
 if (isset($_POST['edit_ticket_status'])) {
    validateCSRFToken($_POST['csrf_token']);
    $ticket_status_id = intval($_POST['ticket_status_id']);
    $name = sanitizeInput($_POST['name']);
    $color = sanitizeInput($_POST['color']);
--- a/admin/post/ticket_template.php
+++ b/admin/post/ticket_template.php
@@ -10,6 +10,8 @@ require_once '../agent/post/task.php';
 if (isset($_POST['add_ticket_template'])) {
    validateCSRFToken($_POST['csrf_token']);
    $name = sanitizeInput($_POST['name']);
    $description = sanitizeInput($_POST['description']);
    $subject = sanitizeInput($_POST['subject']);
@@ -34,6 +36,8 @@ if (isset($_POST['add_ticket_template'])) {
 if (isset($_POST['edit_ticket_template'])) {
    validateCSRFToken($_POST['csrf_token']);
    $ticket_template_id = intval($_POST['ticket_template_id']);
    $name = sanitizeInput($_POST['name']);
    $description = sanitizeInput($_POST['description']);
@@ -52,6 +56,8 @@ if (isset($_POST['edit_ticket_template'])) {
 if (isset($_GET['delete_ticket_template'])) {
    validateCSRFToken($_GET['csrf_token']);
    $ticket_template_id = intval($_GET['delete_ticket_template']);
    $ticket_template_name = sanitizeInput(getFieldById('ticket_templates', $ticket_template_id, 'ticket_template_name'));
@@ -72,6 +78,8 @@ if (isset($_GET['delete_ticket_template'])) {
 if (isset($_POST['add_ticket_template_task'])) {
    validateCSRFToken($_POST['csrf_token']);
    $ticket_template_id = intval($_POST['ticket_template_id']);
    $task_name = sanitizeInput($_POST['task_name']);
@@ -89,6 +97,8 @@ if (isset($_POST['add_ticket_template_task'])) {
 if (isset($_GET['delete_task_template'])) {
    validateCSRFToken($_GET['csrf_token']);
    $task_template_id = intval($_GET['delete_task_template']);
    $task_template_name = sanitizeInput(getFieldById('tags', $task_template_id, 'task_template_name'));
--- a/admin/post/vendor_template.php
+++ b/admin/post/vendor_template.php
@@ -9,6 +9,8 @@ require_once '../agent/post/vendor.php';
 if (isset($_POST['add_vendor_template'])) {
    validateCSRFToken($_POST['csrf_token']);
    $name = sanitizeInput($_POST['name']);
    $description = sanitizeInput($_POST['description']);
    $account_number = sanitizeInput($_POST['account_number']);
@@ -37,6 +39,8 @@ if (isset($_POST['add_vendor_template'])) {
 if (isset($_POST['edit_vendor_template'])) {
    validateCSRFToken($_POST['csrf_token']);
    $vendor_template_id = intval($_POST['vendor_template_id']);
    $name = sanitizeInput($_POST['name']);
    $description = sanitizeInput($_POST['description']);
@@ -141,6 +145,8 @@ if (isset($_POST['edit_vendor_template'])) {
 if (isset($_GET['delete_vendor_template'])) {
    validateCSRFToken($_GET['csrf_token']);
    $vendor_template_id = intval($_GET['delete_vendor_template']);
    $vendor_template_name = sanitizeInput(getFieldById('vendor_templates', $vendor_template_id, 'vendor_template_name'));
--- a/admin/project_template.php
+++ b/admin/project_template.php
@@ -114,7 +114,7 @@ $num_rows = mysqli_fetch_row(mysqli_query($mysqli, "SELECT FOUND_ROWS()"));
                                    </a>
                                    <?php if($session_user_role == 3) { ?>
                                        <div class="dropdown-divider"></div>
-                                        <a class="dropdown-item text-danger text-bold confirm-link" href="post.php?delete_project_template=<?php echo $project_template_id; ?>">
+                                        <a class="dropdown-item text-danger text-bold confirm-link" href="post.php?delete_project_template=<?php echo $project_template_id; ?>&csrf_token=<?= $_SESSION['csrf_token'] ?>">
                                            <i class="fas fa-fw fa-trash mr-2"></i>Delete
                                        </a>
                                    <?php } ?>
--- a/admin/project_template_details.php
+++ b/admin/project_template_details.php
@@ -104,13 +104,13 @@ if (isset($_GET['project_template_id'])) {
                        </a>
                        <?php if ($session_user_role == 3) { ?>
                            <div class="dropdown-divider"></div>
-                            <a class="dropdown-item text-danger text-bold confirm-link" href="post.php?archive_project_template=<?php echo $project_template_id; ?>">
+                            <a class="dropdown-item text-danger text-bold confirm-link" href="post.php?archive_project_template=<?php echo $project_template_id; ?>&csrf_token=<?= $_SESSION['csrf_token'] ?>">
                                <i class="fas fa-fw fa-archive mr-2"></i>Archive (not yet implemented)
                            </a>
                        <?php } ?>
                        <?php if ($session_user_role == 3) { ?>
                            <div class="dropdown-divider"></div>
-                            <a class="dropdown-item text-danger confirm-link" href="post.php?delete_project_template=<?php echo $project_template_id; ?>">
+                            <a class="dropdown-item text-danger confirm-link" href="post.php?delete_project_template=<?php echo $project_template_id; ?>&csrf_token=<?= $_SESSION['csrf_token'] ?>">
                                <i class="fas fa-fw fa-trash mr-2"></i>Delete
                            </a>
                        <?php } ?>
@@ -157,6 +157,7 @@ if (isset($_GET['project_template_id'])) {
                            <tr>
                                <td class="pr-0">
                                    <form action="post.php" method="post" autocomplete="off">
                                        <input type="hidden" name="csrf_token" value="<?= $_SESSION['csrf_token'] ?>">
                                        <input type="hidden" name="edit_ticket_template_order">
                                        <input type="hidden" name="project_template_id" value="<?php echo $project_template_id; ?>">
                                        <input type="hidden" name="ticket_template_id" value="<?php echo $ticket_template_id; ?>">
@@ -172,6 +173,7 @@ if (isset($_GET['project_template_id'])) {
                                <td><?php echo $ticket_template_subject; ?></td>
                                <td>
                                    <form action="post.php" method="post" autocomplete="off">
                                        <input type="hidden" name="csrf_token" value="<?= $_SESSION['csrf_token'] ?>">
                                        <input type="hidden" name="project_template_id" value="<?php echo $project_template_id; ?>">
                                        <input type="hidden" name="ticket_template_id" value="<?php echo $ticket_template_id; ?>">
                                        <button type="submit" class="btn btn-default btn-sm confirm-link"
--- a/admin/settings_company.php
+++ b/admin/settings_company.php
@@ -37,7 +37,7 @@ $company_initials = nullable_htmlentities(initials($company_name));
                        <div class="col-md-3 text-center">
                            <?php if ($company_logo) { ?>
                                <img class="img-thumbnail" src="<?php echo "../uploads/settings/$company_logo"; ?>">
-                                <a href="post.php?remove_company_logo" class="btn btn-outline-danger btn-block">Remove Logo</a>
+                                <a href="post.php?remove_company_logo&csrf_token=<?= $_SESSION['csrf_token'] ?>" class="btn btn-outline-danger btn-block">Remove Logo</a>
                                <hr>
                            <?php } ?>
                            <div class="form-group">
--- a/admin/settings_mail.php
+++ b/admin/settings_mail.php
@@ -260,7 +260,7 @@ require_once "includes/inc_all_admin.php";
                        <input type="text" class="form-control" readonly value="<?php echo htmlspecialchars($mail_oauth_callback_uri); ?>">
                        <div class="input-group-append">
                            <button type="submit" name="oauth_connect_microsoft_mail" class="btn btn-outline-primary">
-                                <i class="fas fa-fw fa-sign-in-alt mr-2"></i>Connect Microsoft 365
+                                <i class="fab fa-fw fa-microsoft mr-2"></i>Connect Microsoft 365
                            </button>
                        </div>
                    </div>
--- a/admin/settings_theme.php
+++ b/admin/settings_theme.php
@@ -58,7 +58,7 @@ require_once "includes/inc_all_admin.php";
                <button type="submit" name="edit_favicon_settings" class="btn btn-primary text-bold"><i class="fa fa-check mr-2"></i>Upload Icon</button>
                <?php if(file_exists("../uploads/favicon.ico")) { ?>
-                <a href="post.php?reset_favicon" class="btn btn-outline-danger"><i class="fas fa-redo-alt mr-2"></i>Reset Favicon</a>
+                <a href="post.php?reset_favicon&csrf_token=<?= $_SESSION['csrf_token'] ?>" class="btn btn-outline-danger"><i class="fas fa-redo-alt mr-2"></i>Reset Favicon</a>
                <?php } ?>
            </form>
        </div>
--- a/admin/software_template.php
+++ b/admin/software_template.php
@@ -103,7 +103,7 @@ $num_rows = mysqli_fetch_row(mysqli_query($mysqli, "SELECT FOUND_ROWS()"));
                                    </a>
                                    <?php if($session_user_role == 3) { ?>
                                        <div class="dropdown-divider"></div>
-                                        <a class="dropdown-item text-danger text-bold confirm-link" href="post.php?delete_software_template=<?php echo $software_template_id; ?>">
+                                        <a class="dropdown-item text-danger text-bold confirm-link" href="post.php?delete_software_template=<?php echo $software_template_id; ?>&csrf_token=<?= $_SESSION['csrf_token'] ?>">
                                            <i class="fas fa-fw fa-trash mr-2"></i>Delete
                                        </a>
                                    <?php } ?>
--- a/admin/tag.php
+++ b/admin/tag.php
@@ -142,7 +142,7 @@ $num_rows = mysqli_fetch_row(mysqli_query($mysqli, "SELECT FOUND_ROWS()"));
                                            <i class="fas fa-fw fa-edit mr-2"></i>Edit
                                        </a>
                                        <div class="dropdown-divider"></div>
-                                        <a class="dropdown-item text-danger text-bold confirm-link" href="post.php?delete_tag=<?php echo $tag_id; ?>">
+                                        <a class="dropdown-item text-danger text-bold confirm-link" href="post.php?delete_tag=<?php echo $tag_id; ?>&csrf_token=<?= $_SESSION['csrf_token'] ?>">
                                            <i class="fas fa-fw fa-trash mr-2"></i>Delete
                                        </a>
                                    </div>
--- a/admin/ticket_template.php
+++ b/admin/ticket_template.php
@@ -101,7 +101,7 @@ $num_rows = mysqli_fetch_row(mysqli_query($mysqli, "SELECT FOUND_ROWS()"));
                                    <i class="fas fa-ellipsis-h"></i>
                                </button>
                                <div class="dropdown-menu">
-                                    <a class="dropdown-item text-danger text-bold confirm-link" href="post.php?delete_ticket_template=<?= $ticket_template_id ?>">
+                                    <a class="dropdown-item text-danger text-bold confirm-link" href="post.php?delete_ticket_template=<?= $ticket_template_id ?>&csrf_token=<?= $_SESSION['csrf_token'] ?>">
                                        <i class="fas fa-fw fa-trash mr-2"></i>Delete
                                    </a>
                                </div>
--- a/admin/ticket_template_details.php
+++ b/admin/ticket_template_details.php
@@ -86,6 +86,7 @@ $sql_task_templates = mysqli_query($mysqli, "SELECT * FROM task_templates WHERE
            </div>
            <div class="card-body">
                <form action="post.php" method="post" autocomplete="off">
                    <input type="hidden" name="csrf_token" value="<?= $_SESSION['csrf_token'] ?>">
                    <input type="hidden" name="ticket_template_id" value="<?php echo $ticket_template_id; ?>">
                    <div class="form-group">
                        <div class="input-group input-group-sm">
--- a/admin/vendor_template.php
+++ b/admin/vendor_template.php
@@ -140,7 +140,7 @@ $num_rows = mysqli_fetch_row(mysqli_query($mysqli, "SELECT FOUND_ROWS()"));
                                    </a>
                                    <?php if ($session_user_role == 3) { ?>
                                        <div class="dropdown-divider"></div>
-                                        <a class="dropdown-item text-danger text-bold confirm-link" href="post.php?delete_vendor_template=<?= $vendor_template_id ?>">
+                                        <a class="dropdown-item text-danger text-bold confirm-link" href="post.php?delete_vendor_template=<?= $vendor_template_id ?>&csrf_token=<?= $_SESSION['csrf_token'] ?>">
                                            <i class="fas fa-fw fa-trash mr-2"></i>Delete
                                        </a>
                                    <?php } ?>