From 9213249f7b4145055698a813303a14c212a15cbb Mon Sep 17 00:00:00 2001
From: johnnyq <johnny@pittpc.com>
Date: Sun, 1 Mar 2026 21:21:37 -0500
Subject: [PATCH] Recurring Ticket: Add missing CSRF checks

---
 .../recurring_ticket/recurring_ticket_add.php      |  1 +
 .../recurring_ticket/recurring_ticket_edit.php     |  1 +
 agent/post/recurring_ticket.php                    | 14 ++++++++++++++
 3 files changed, 16 insertions(+)

diff --git a/agent/modals/recurring_ticket/recurring_ticket_add.php b/agent/modals/recurring_ticket/recurring_ticket_add.php
index ff234e8a..82e44fd3 100644
--- a/agent/modals/recurring_ticket/recurring_ticket_add.php
+++ b/agent/modals/recurring_ticket/recurring_ticket_add.php
@@ -16,6 +16,7 @@ ob_start();
     </button>
 </div>
 <form action="post.php" method="post" autocomplete="off">
+    <input type="hidden" name="csrf_token" value="<?= $_SESSION['csrf_token'] ?>">
     <?php if (isset($client_id)) { ?>
            <input type="hidden" name="client" value="<?php echo $client_id; ?>>">
     <?php } ?>
diff --git a/agent/modals/recurring_ticket/recurring_ticket_edit.php b/agent/modals/recurring_ticket/recurring_ticket_edit.php
index 73145cfa..bec27c24 100644
--- a/agent/modals/recurring_ticket/recurring_ticket_edit.php
+++ b/agent/modals/recurring_ticket/recurring_ticket_edit.php
@@ -38,6 +38,7 @@ ob_start();
     </button>
 </div>
 <form action="post.php" method="post" autocomplete="off">
+    <input type="hidden" name="csrf_token" value="<?= $_SESSION['csrf_token'] ?>">
     <input type="hidden" name="recurring_ticket_id" value="<?php echo $recurring_ticket_id; ?>">
     <input type="hidden" name="client" value="<?php echo $client_id; ?>">
 
diff --git a/agent/post/recurring_ticket.php b/agent/post/recurring_ticket.php
index 61748347..f4f249fd 100644
--- a/agent/post/recurring_ticket.php
+++ b/agent/post/recurring_ticket.php
@@ -8,6 +8,8 @@ defined('FROM_POST_HANDLER') || die("Direct file access is not allowed");
 
 if (isset($_POST['add_recurring_ticket'])) {
 
+    validateCSRFToken($_POST['csrf_token']);
+
     enforceUserPermission('module_support', 2);
 
     require_once 'ticket_recurring_model.php';
@@ -36,6 +38,8 @@ if (isset($_POST['add_recurring_ticket'])) {
 
 if (isset($_POST['edit_recurring_ticket'])) {
 
+    validateCSRFToken($_POST['csrf_token']);
+
     enforceUserPermission('module_support', 2);
 
     require_once 'ticket_recurring_model.php';
@@ -400,6 +404,8 @@ if (isset($_POST['bulk_delete_recurring_tickets'])) {
 
 if (isset($_POST['bulk_assign_recurring_ticket'])) {
 
+    validateCSRFToken($_POST['csrf_token']);
+
     enforceUserPermission('module_support', 2);
 
     // POST variables
@@ -488,6 +494,8 @@ if (isset($_POST['bulk_assign_recurring_ticket'])) {
 
 if (isset($_POST['bulk_edit_recurring_ticket_priority'])) {
 
+    validateCSRFToken($_POST['csrf_token']);
+
     enforceUserPermission('module_support', 2);
 
     $priority = sanitizeInput($_POST['bulk_priority']);
@@ -527,6 +535,8 @@ if (isset($_POST['bulk_edit_recurring_ticket_priority'])) {
 
 if (isset($_POST['bulk_edit_recurring_ticket_category'])) {
 
+    validateCSRFToken($_POST['csrf_token']);
+
     enforceUserPermission('module_support', 2);
 
     $category_id = intval($_POST['bulk_category']);
@@ -565,6 +575,8 @@ if (isset($_POST['bulk_edit_recurring_ticket_category'])) {
 
 if (isset($_POST['bulk_edit_recurring_ticket_billable'])) {
 
+    validateCSRFToken($_POST['csrf_token']);
+
     enforceUserPermission('module_support', 2);
     enforceUserPermission('module_sales', 2);
 
@@ -612,6 +624,8 @@ if (isset($_POST['bulk_edit_recurring_ticket_billable'])) {
 
 if (isset($_POST['bulk_edit_recurring_ticket_next_run_date'])) {
 
+    validateCSRFToken($_POST['csrf_token']);
+
     enforceUserPermission('module_support', 2);
 
     $next_run_date = sanitizeInput($_POST['next_run_date']);