AS1024/itflow
1
0
Fork 0
mirror of https://github.com/itflow-org/itflow synced 2026-03-22 21:45:37 +00:00
Code Issues Packages Projects Releases Wiki Activity

Recurring Ticket: Add missing CSRF checks

Browse Source
This commit is contained in:
johnnyq
2026-03-01 21:21:37 -05:00
parent 63f6faf1e8
commit 9213249f7b
3 changed files with 16 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

1
agent/modals/recurring_ticket/recurring_ticket_add.php
View File

@@ -16,6 +16,7 @@ ob_start();
</button> </button>
</div> </div>
<form action="post.php" method="post" autocomplete="off"> <form action="post.php" method="post" autocomplete="off">
<input type="hidden" name="csrf_token" value="<?= $_SESSION['csrf_token'] ?>">
<?php if (isset($client_id)) { ?> <?php if (isset($client_id)) { ?>
<input type="hidden" name="client" value="<?php echo $client_id; ?>>"> <input type="hidden" name="client" value="<?php echo $client_id; ?>>">
<?php } ?> <?php } ?>

1
agent/modals/recurring_ticket/recurring_ticket_edit.php
View File

@@ -38,6 +38,7 @@ ob_start();
</button> </button>
</div> </div>
<form action="post.php" method="post" autocomplete="off"> <form action="post.php" method="post" autocomplete="off">
<input type="hidden" name="csrf_token" value="<?= $_SESSION['csrf_token'] ?>">
<input type="hidden" name="recurring_ticket_id" value="<?php echo $recurring_ticket_id; ?>"> <input type="hidden" name="recurring_ticket_id" value="<?php echo $recurring_ticket_id; ?>">
<input type="hidden" name="client" value="<?php echo $client_id; ?>"> <input type="hidden" name="client" value="<?php echo $client_id; ?>">

14
agent/post/recurring_ticket.php
View File

@@ -8,6 +8,8 @@ defined('FROM_POST_HANDLER') || die("Direct file access is not allowed");
if (isset($_POST['add_recurring_ticket'])) { if (isset($_POST['add_recurring_ticket'])) {
validateCSRFToken($_POST['csrf_token']);
enforceUserPermission('module_support', 2); enforceUserPermission('module_support', 2);
require_once 'ticket_recurring_model.php'; require_once 'ticket_recurring_model.php';
@@ -36,6 +38,8 @@ if (isset($_POST['add_recurring_ticket'])) {
if (isset($_POST['edit_recurring_ticket'])) { if (isset($_POST['edit_recurring_ticket'])) {
validateCSRFToken($_POST['csrf_token']);
enforceUserPermission('module_support', 2); enforceUserPermission('module_support', 2);
require_once 'ticket_recurring_model.php'; require_once 'ticket_recurring_model.php';
@@ -400,6 +404,8 @@ if (isset($_POST['bulk_delete_recurring_tickets'])) {
if (isset($_POST['bulk_assign_recurring_ticket'])) { if (isset($_POST['bulk_assign_recurring_ticket'])) {
validateCSRFToken($_POST['csrf_token']);
enforceUserPermission('module_support', 2); enforceUserPermission('module_support', 2);
// POST variables // POST variables
@@ -488,6 +494,8 @@ if (isset($_POST['bulk_assign_recurring_ticket'])) {
if (isset($_POST['bulk_edit_recurring_ticket_priority'])) { if (isset($_POST['bulk_edit_recurring_ticket_priority'])) {
validateCSRFToken($_POST['csrf_token']);
enforceUserPermission('module_support', 2); enforceUserPermission('module_support', 2);
$priority = sanitizeInput($_POST['bulk_priority']); $priority = sanitizeInput($_POST['bulk_priority']);
@@ -527,6 +535,8 @@ if (isset($_POST['bulk_edit_recurring_ticket_priority'])) {
if (isset($_POST['bulk_edit_recurring_ticket_category'])) { if (isset($_POST['bulk_edit_recurring_ticket_category'])) {
validateCSRFToken($_POST['csrf_token']);
enforceUserPermission('module_support', 2); enforceUserPermission('module_support', 2);
$category_id = intval($_POST['bulk_category']); $category_id = intval($_POST['bulk_category']);
@@ -565,6 +575,8 @@ if (isset($_POST['bulk_edit_recurring_ticket_category'])) {
if (isset($_POST['bulk_edit_recurring_ticket_billable'])) { if (isset($_POST['bulk_edit_recurring_ticket_billable'])) {
validateCSRFToken($_POST['csrf_token']);
enforceUserPermission('module_support', 2); enforceUserPermission('module_support', 2);
enforceUserPermission('module_sales', 2); enforceUserPermission('module_sales', 2);
@@ -612,6 +624,8 @@ if (isset($_POST['bulk_edit_recurring_ticket_billable'])) {
if (isset($_POST['bulk_edit_recurring_ticket_next_run_date'])) { if (isset($_POST['bulk_edit_recurring_ticket_next_run_date'])) {
validateCSRFToken($_POST['csrf_token']);
enforceUserPermission('module_support', 2); enforceUserPermission('module_support', 2);
$next_run_date = sanitizeInput($_POST['next_run_date']); $next_run_date = sanitizeInput($_POST['next_run_date']);