From a67de7a8f16a01d20b402da84eba10fcb58fc60a Mon Sep 17 00:00:00 2001
From: wrongecho <marcus@itflow.org>
Date: Thu, 9 Jan 2025 16:09:39 +0000
Subject: [PATCH] Prevent post pages being accessed directly

---
 CHANGELOG.md                                 |  4 +++-
 admin_role.php                               |  7 +++----
 post.php                                     | 15 ++++-----------
 post/admin/admin_api.php                     |  2 ++
 post/admin/admin_backup.php                  |  2 ++
 post/admin/admin_bulk_mail.php               |  3 +++
 post/admin/admin_category.php                |  2 ++
 post/admin/admin_category_model.php          |  2 ++
 post/admin/admin_custom_field.php            |  2 ++
 post/admin/admin_custom_field_model.php      |  2 ++
 post/admin/admin_custom_link.php             |  2 ++
 post/admin/admin_document_template.php       |  2 ++
 post/admin/admin_mail_queue.php              |  2 ++
 post/admin/admin_project_template.php        |  2 ++
 post/admin/admin_role.php                    | 10 ++++++++++
 post/admin/admin_settings_ai.php             |  2 ++
 post/admin/admin_settings_company.php        |  2 ++
 post/admin/admin_settings_default.php        |  2 ++
 post/admin/admin_settings_integration.php    |  2 ++
 post/admin/admin_settings_invoice.php        |  2 ++
 post/admin/admin_settings_localization.php   |  2 ++
 post/admin/admin_settings_mail.php           |  1 +
 post/admin/admin_settings_module.php         |  2 ++
 post/admin/admin_settings_notification.php   |  2 ++
 post/admin/admin_settings_online_payment.php |  2 ++
 post/admin/admin_settings_project.php        |  2 ++
 post/admin/admin_settings_quote.php          |  2 ++
 post/admin/admin_settings_security.php       |  2 ++
 post/admin/admin_settings_telemetry.php      |  2 ++
 post/admin/admin_settings_theme.php          |  2 ++
 post/admin/admin_settings_ticket.php         |  2 ++
 post/admin/admin_software_template.php       |  2 ++
 post/admin/admin_tag.php                     |  2 ++
 post/admin/admin_tag_model.php               |  2 ++
 post/admin/admin_tax.php                     |  2 ++
 post/admin/admin_ticket_status.php           |  2 ++
 post/admin/admin_ticket_template.php         |  2 ++
 post/{ => admin}/admin_update.php            |  2 ++
 post/admin/admin_user.php                    |  2 ++
 post/admin/admin_user_model.php              |  2 ++
 post/admin/admin_vendor_template.php         |  2 ++
 post/user/account.php                        |  2 ++
 post/user/asset.php                          |  2 ++
 post/user/asset_interface_model.php          |  2 ++
 post/user/asset_model.php                    |  2 ++
 post/user/budget.php                         |  3 +++
 post/user/certificate.php                    |  2 ++
 post/user/certificate_model.php              |  2 ++
 post/user/client.php                         |  2 ++
 post/user/client_model.php                   |  2 ++
 post/user/contact.php                        |  2 ++
 post/user/contact_model.php                  |  1 +
 post/user/credential.php                     |  2 ++
 post/user/credential_model.php               |  2 ++
 post/user/document.php                       |  2 ++
 post/user/document_model.php                 |  2 ++
 post/user/domain.php                         |  2 ++
 post/user/domain_model.php                   |  2 ++
 post/user/event.php                          |  2 ++
 post/user/event_model.php                    |  2 ++
 post/user/expense.php                        |  2 ++
 post/user/expense_model.php                  |  2 ++
 post/user/file.php                           |  2 ++
 post/user/folder.php                         |  2 ++
 post/user/invoice.php                        |  2 ++
 post/user/invoice_model.php                  |  1 +
 post/user/location.php                       |  2 ++
 post/user/location_model.php                 |  2 ++
 post/user/network.php                        |  2 ++
 post/user/network_model.php                  |  2 ++
 post/user/product.php                        |  2 ++
 post/user/product_model.php                  |  2 ++
 post/user/profile.php                        |  2 ++
 post/user/project.php                        |  2 ++
 post/user/quote.php                          |  2 ++
 post/user/quote_model.php                    |  2 ++
 post/user/rack.php                           |  2 ++
 post/user/revenue.php                        |  2 ++
 post/user/service.php                        |  2 ++
 post/user/software.php                       |  1 +
 post/user/task.php                           |  2 ++
 post/user/ticket.php                         |  2 ++
 post/user/ticket_recurring_model.php         |  1 +
 post/user/transfer.php                       |  2 ++
 post/user/transfer_model.php                 |  2 ++
 post/user/trip.php                           |  2 ++
 post/user/trip_model.php                     |  2 ++
 post/user/vendor.php                         |  2 ++
 post/user/vendor_contact.php                 |  2 ++
 post/user/vendor_contact_model.php           |  1 +
 post/user/vendor_model.php                   |  2 ++
 91 files changed, 190 insertions(+), 16 deletions(-)
 rename post/{ => admin}/admin_update.php (99%)

diff --git a/CHANGELOG.md b/CHANGELOG.md
index 75e57a9f..446ca6e4 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -8,7 +8,9 @@ All notable changes to ITFlow will be documented in this file.
 - Bugfix: Asset interface losing DHCP setting
 - Bugfix: Editing / creating recurring expenses results in error 500 due to incorrect var name
 - Stripe online payment setup now prompts you to set the income/expense account
-- Admin pages now once again use the new admin rolecheck
+- Admin pages now once again use the new admin role-check
+- Debug now shows the current git branch
+- Individual POST handler logic pages can no longer be accessed directly
 
 ## 24.12
 
diff --git a/admin_role.php b/admin_role.php
index 241a116f..800b58cc 100644
--- a/admin_role.php
+++ b/admin_role.php
@@ -110,11 +110,10 @@ $num_rows = mysqli_fetch_row(mysqli_query($mysqli, "SELECT FOUND_ROWS()"));
                                             </a>
 
                                             <?php if (empty($role_archived_at) && $role_user_count == 0) { ?>
-                                                    <!-- To be added -->
                                                 <div class="dropdown-divider"></div>
-<!--                                                <a class="dropdown-item text-danger confirm-link" href="post.php?archive_role=--><?php //echo $role_id; ?><!--&csrf_token=--><?php //echo $_SESSION['csrf_token'] ?><!--">-->
-<!--                                                    <i class="fas fa-fw fa-archive mr-2"></i>Archive-->
-<!--                                                </a>-->
+                                                <a class="dropdown-item text-danger confirm-link" href="post.php?archive_role=<?php echo $role_id; ?>&csrf_token=<?php echo $_SESSION['csrf_token'] ?>">
+                                                    <i class="fas fa-fw fa-archive mr-2"></i>Archive
+                                                </a>
                                             <?php } ?>
 
                                         </div>
diff --git a/post.php b/post.php
index f09d2141..69a21561 100644
--- a/post.php
+++ b/post.php
@@ -10,6 +10,9 @@ require_once "functions.php";
 
 require_once "check_login.php";
 
+// Define a variable that we can use to only allow running post files via inclusion (prevents people/bots poking them)
+define('FROM_POST_HANDLER', true);
+
 
 // Determine which files we should load
 
@@ -28,13 +31,7 @@ if (str_contains($module, 'admin') && isset($session_is_admin) && $session_is_ad
     //  To add a new admin POST request handler, add a file named after the admin page
     //    e.g. changes made on the page http://itflow/admin_ticket_statues.php will load the page post/admin/admin_ticket_statues.php to handle the changes
 
-    if ($module !== 'admin_update') {
-        require_once "post/admin/$module.php";
-    }
-    // IF statement is temporary
-
-
-
+    require_once "post/admin/$module.php";
 
 } elseif (str_contains($module, 'xcustom')) {
     // Dynamically load any custom POST logic
@@ -58,10 +55,6 @@ if (str_contains($module, 'admin') && isset($session_is_admin) && $session_is_ad
 // Logout is the same for user and admin
 require_once "post/logout.php";
 
-// TODO: Move admin_update into the admin section to be auto-loaded
-//  We can't do this until everyone has the new database fields added in 1.4.9 on Sept 14th 2024
-require_once "post/admin_update.php"; // Load updater
-
 // TODO: Find a home for these
 
 require_once "post/ai.php";
diff --git a/post/admin/admin_api.php b/post/admin/admin_api.php
index 8817b62a..073f2afd 100644
--- a/post/admin/admin_api.php
+++ b/post/admin/admin_api.php
@@ -4,6 +4,8 @@
  * ITFlow - GET/POST request handler for API settings
  */
 
+defined('FROM_POST_HANDLER') || die("Direct file access is not allowed");
+
 if (isset($_POST['add_api_key'])) {
 
     validateCSRFToken($_POST['csrf_token']);
diff --git a/post/admin/admin_backup.php b/post/admin/admin_backup.php
index 8649e91d..dfb0509a 100644
--- a/post/admin/admin_backup.php
+++ b/post/admin/admin_backup.php
@@ -4,6 +4,8 @@
  * ITFlow - GET/POST request handler for DB / master key backup
  */
 
+defined('FROM_POST_HANDLER') || die("Direct file access is not allowed");
+
 if (isset($_GET['download_database'])) {
 
     validateCSRFToken($_GET['csrf_token']);
diff --git a/post/admin/admin_bulk_mail.php b/post/admin/admin_bulk_mail.php
index cdbf999f..4ddc0651 100644
--- a/post/admin/admin_bulk_mail.php
+++ b/post/admin/admin_bulk_mail.php
@@ -4,6 +4,9 @@
  * ITFlow - GET/POST request handler for bulk email
  */
 
+defined('FROM_POST_HANDLER') || die("Direct file access is not allowed");
+
+
 if (isset($_POST['send_bulk_mail_now'])) {
     
     if (isset($_POST['contact_ids'])) {
diff --git a/post/admin/admin_category.php b/post/admin/admin_category.php
index c3a97fc2..b5bd1273 100644
--- a/post/admin/admin_category.php
+++ b/post/admin/admin_category.php
@@ -4,6 +4,8 @@
  * ITFlow - GET/POST request handler for categories ('category')
  */
 
+defined('FROM_POST_HANDLER') || die("Direct file access is not allowed");
+
 if (isset($_POST['add_category'])) {
 
     require_once 'post/admin/admin_category_model.php';
diff --git a/post/admin/admin_category_model.php b/post/admin/admin_category_model.php
index 92b0c6ba..81b54a39 100644
--- a/post/admin/admin_category_model.php
+++ b/post/admin/admin_category_model.php
@@ -1,4 +1,6 @@
 <?php
+defined('FROM_POST_HANDLER') || die("Direct file access is not allowed");
+
 $name = sanitizeInput($_POST['name']);
 $type = sanitizeInput($_POST['type']);
 $color = sanitizeInput($_POST['color']);
diff --git a/post/admin/admin_custom_field.php b/post/admin/admin_custom_field.php
index 85f2a739..e8f68fbe 100644
--- a/post/admin/admin_custom_field.php
+++ b/post/admin/admin_custom_field.php
@@ -4,6 +4,8 @@
  * ITFlow - GET/POST request handler for custom fields
  */
 
+defined('FROM_POST_HANDLER') || die("Direct file access is not allowed");
+
 if(isset($_POST['create_custom_field'])){
 
     require_once 'post/admin/admin_custom_field_model.php';
diff --git a/post/admin/admin_custom_field_model.php b/post/admin/admin_custom_field_model.php
index 2cd6fb47..2c13993d 100644
--- a/post/admin/admin_custom_field_model.php
+++ b/post/admin/admin_custom_field_model.php
@@ -1,3 +1,5 @@
 <?php
+defined('FROM_POST_HANDLER') || die("Direct file access is not allowed");
+
 $label = sanitizeInput($_POST['label']);
 $type = sanitizeInput($_POST['type']);
diff --git a/post/admin/admin_custom_link.php b/post/admin/admin_custom_link.php
index 92c882f4..144b509c 100644
--- a/post/admin/admin_custom_link.php
+++ b/post/admin/admin_custom_link.php
@@ -4,6 +4,8 @@
  * ITFlow - GET/POST request handler for showing custom links on navbars
  */
 
+defined('FROM_POST_HANDLER') || die("Direct file access is not allowed");
+
 if (isset($_POST['add_custom_link'])) {
 
     $name = sanitizeInput($_POST['name']);
diff --git a/post/admin/admin_document_template.php b/post/admin/admin_document_template.php
index 40cdd2e9..2d794333 100644
--- a/post/admin/admin_document_template.php
+++ b/post/admin/admin_document_template.php
@@ -2,6 +2,8 @@
 
 // Doc Templates
 
+defined('FROM_POST_HANDLER') || die("Direct file access is not allowed");
+
 // Import shared code from user-side docs as we reuse functions
 require_once 'post/user/document.php';
 
diff --git a/post/admin/admin_mail_queue.php b/post/admin/admin_mail_queue.php
index f178dc5c..81eaecf7 100644
--- a/post/admin/admin_mail_queue.php
+++ b/post/admin/admin_mail_queue.php
@@ -1,5 +1,7 @@
 <?php
 
+defined('FROM_POST_HANDLER') || die("Direct file access is not allowed");
+
 if (isset($_GET['send_failed_mail'])) {
 
     $email_id = intval($_GET['send_failed_mail']);
diff --git a/post/admin/admin_project_template.php b/post/admin/admin_project_template.php
index 790828a7..32d68a4e 100644
--- a/post/admin/admin_project_template.php
+++ b/post/admin/admin_project_template.php
@@ -1,5 +1,7 @@
 <?php
 
+defined('FROM_POST_HANDLER') || die("Direct file access is not allowed");
+
 if (isset($_POST['add_project_template'])) {
 
     $name = sanitizeInput($_POST['name']);
diff --git a/post/admin/admin_role.php b/post/admin/admin_role.php
index 54471a12..8665c324 100644
--- a/post/admin/admin_role.php
+++ b/post/admin/admin_role.php
@@ -4,6 +4,8 @@
  * ITFlow - GET/POST request handler for roles
  */
 
+defined('FROM_POST_HANDLER') || die("Direct file access is not allowed");
+
 if (isset($_POST['add_role'])) {
 
     validateCSRFToken($_POST['csrf_token']);
@@ -59,3 +61,11 @@ if (isset($_POST['edit_role'])) {
 
     header("Location: " . $_SERVER["HTTP_REFERER"]);
 }
+
+if (isset($_GET['archive_role'])) {
+
+    validateCSRFToken($_GET['csrf_token']);
+
+
+
+}
\ No newline at end of file
diff --git a/post/admin/admin_settings_ai.php b/post/admin/admin_settings_ai.php
index ad7dac98..cbb5d00f 100644
--- a/post/admin/admin_settings_ai.php
+++ b/post/admin/admin_settings_ai.php
@@ -1,5 +1,7 @@
 <?php
 
+defined('FROM_POST_HANDLER') || die("Direct file access is not allowed");
+
 if (isset($_POST['edit_ai_settings'])) {
 
     validateCSRFToken($_POST['csrf_token']);
diff --git a/post/admin/admin_settings_company.php b/post/admin/admin_settings_company.php
index 839c16ec..3c3660d9 100644
--- a/post/admin/admin_settings_company.php
+++ b/post/admin/admin_settings_company.php
@@ -1,5 +1,7 @@
 <?php
 
+defined('FROM_POST_HANDLER') || die("Direct file access is not allowed");
+
 if (isset($_POST['edit_company'])) {
 
     validateCSRFToken($_POST['csrf_token']);
diff --git a/post/admin/admin_settings_default.php b/post/admin/admin_settings_default.php
index ba4746d8..e50dad3e 100644
--- a/post/admin/admin_settings_default.php
+++ b/post/admin/admin_settings_default.php
@@ -1,5 +1,7 @@
 <?php
 
+defined('FROM_POST_HANDLER') || die("Direct file access is not allowed");
+
 if (isset($_POST['edit_default_settings'])) {
 
     validateCSRFToken($_POST['csrf_token']);
diff --git a/post/admin/admin_settings_integration.php b/post/admin/admin_settings_integration.php
index 2a8fa844..c2f5d363 100644
--- a/post/admin/admin_settings_integration.php
+++ b/post/admin/admin_settings_integration.php
@@ -1,5 +1,7 @@
 <?php
 
+defined('FROM_POST_HANDLER') || die("Direct file access is not allowed");
+
 if (isset($_POST['edit_integrations_settings'])) {
 
     validateCSRFToken($_POST['csrf_token']);
diff --git a/post/admin/admin_settings_invoice.php b/post/admin/admin_settings_invoice.php
index 36cb9603..9a1335fb 100644
--- a/post/admin/admin_settings_invoice.php
+++ b/post/admin/admin_settings_invoice.php
@@ -1,5 +1,7 @@
 <?php
 
+defined('FROM_POST_HANDLER') || die("Direct file access is not allowed");
+
 if (isset($_POST['edit_invoice_settings'])) {
 
     validateCSRFToken($_POST['csrf_token']);
diff --git a/post/admin/admin_settings_localization.php b/post/admin/admin_settings_localization.php
index 7f4996a4..25ebce95 100644
--- a/post/admin/admin_settings_localization.php
+++ b/post/admin/admin_settings_localization.php
@@ -1,5 +1,7 @@
 <?php
 
+defined('FROM_POST_HANDLER') || die("Direct file access is not allowed");
+
 if (isset($_POST['edit_localization'])) {
 
     validateCSRFToken($_POST['csrf_token']);
diff --git a/post/admin/admin_settings_mail.php b/post/admin/admin_settings_mail.php
index 800ddc6d..b36d3f42 100644
--- a/post/admin/admin_settings_mail.php
+++ b/post/admin/admin_settings_mail.php
@@ -1,5 +1,6 @@
 <?php
 
+defined('FROM_POST_HANDLER') || die("Direct file access is not allowed");
 
 if (isset($_POST['edit_mail_smtp_settings'])) {
 
diff --git a/post/admin/admin_settings_module.php b/post/admin/admin_settings_module.php
index b8639d29..e98a3ce0 100644
--- a/post/admin/admin_settings_module.php
+++ b/post/admin/admin_settings_module.php
@@ -1,5 +1,7 @@
 <?php
 
+defined('FROM_POST_HANDLER') || die("Direct file access is not allowed");
+
 if (isset($_POST['edit_module_settings'])) {
 
     $config_module_enable_itdoc = intval($_POST['config_module_enable_itdoc'] ?? 0);
diff --git a/post/admin/admin_settings_notification.php b/post/admin/admin_settings_notification.php
index 80bd03ca..429a0328 100644
--- a/post/admin/admin_settings_notification.php
+++ b/post/admin/admin_settings_notification.php
@@ -1,5 +1,7 @@
 <?php
 
+defined('FROM_POST_HANDLER') || die("Direct file access is not allowed");
+
 if (isset($_POST['edit_notification_settings'])) {
 
     validateCSRFToken($_POST['csrf_token']);
diff --git a/post/admin/admin_settings_online_payment.php b/post/admin/admin_settings_online_payment.php
index 127672e0..87a44345 100644
--- a/post/admin/admin_settings_online_payment.php
+++ b/post/admin/admin_settings_online_payment.php
@@ -1,5 +1,7 @@
 <?php
 
+defined('FROM_POST_HANDLER') || die("Direct file access is not allowed");
+
 if (isset($_POST['edit_online_payment_settings'])) {
 
     validateCSRFToken($_POST['csrf_token']);
diff --git a/post/admin/admin_settings_project.php b/post/admin/admin_settings_project.php
index f2b42fda..15e746b7 100644
--- a/post/admin/admin_settings_project.php
+++ b/post/admin/admin_settings_project.php
@@ -1,5 +1,7 @@
 <?php
 
+defined('FROM_POST_HANDLER') || die("Direct file access is not allowed");
+
 if (isset($_POST['edit_project_settings'])) {
 
     validateCSRFToken($_POST['csrf_token']);
diff --git a/post/admin/admin_settings_quote.php b/post/admin/admin_settings_quote.php
index 99df3d08..afef08a3 100644
--- a/post/admin/admin_settings_quote.php
+++ b/post/admin/admin_settings_quote.php
@@ -1,5 +1,7 @@
 <?php
 
+defined('FROM_POST_HANDLER') || die("Direct file access is not allowed");
+
 if (isset($_POST['edit_quote_settings'])) {
 
     validateCSRFToken($_POST['csrf_token']);
diff --git a/post/admin/admin_settings_security.php b/post/admin/admin_settings_security.php
index 618d86fb..4862cbf1 100644
--- a/post/admin/admin_settings_security.php
+++ b/post/admin/admin_settings_security.php
@@ -1,5 +1,7 @@
 <?php
 
+defined('FROM_POST_HANDLER') || die("Direct file access is not allowed");
+
 if (isset($_POST['edit_security_settings'])) {
 
     validateCSRFToken($_POST['csrf_token']);
diff --git a/post/admin/admin_settings_telemetry.php b/post/admin/admin_settings_telemetry.php
index 59fc0c5f..46b74866 100644
--- a/post/admin/admin_settings_telemetry.php
+++ b/post/admin/admin_settings_telemetry.php
@@ -1,5 +1,7 @@
 <?php
 
+defined('FROM_POST_HANDLER') || die("Direct file access is not allowed");
+
 if (isset($_POST['edit_telemetry_settings'])) {
 
     validateCSRFToken($_POST['csrf_token']);
diff --git a/post/admin/admin_settings_theme.php b/post/admin/admin_settings_theme.php
index 6fed2d55..a539bed3 100644
--- a/post/admin/admin_settings_theme.php
+++ b/post/admin/admin_settings_theme.php
@@ -1,5 +1,7 @@
 <?php
 
+defined('FROM_POST_HANDLER') || die("Direct file access is not allowed");
+
 if (isset($_POST['edit_theme_settings'])) {
 
     validateCSRFToken($_POST['csrf_token']);
diff --git a/post/admin/admin_settings_ticket.php b/post/admin/admin_settings_ticket.php
index 705c49eb..34561fd6 100644
--- a/post/admin/admin_settings_ticket.php
+++ b/post/admin/admin_settings_ticket.php
@@ -1,5 +1,7 @@
 <?php
 
+defined('FROM_POST_HANDLER') || die("Direct file access is not allowed");
+
 if (isset($_POST['edit_ticket_settings'])) {
 
     $config_ticket_prefix = sanitizeInput($_POST['config_ticket_prefix']);
diff --git a/post/admin/admin_software_template.php b/post/admin/admin_software_template.php
index e0f9d019..e7535e0d 100644
--- a/post/admin/admin_software_template.php
+++ b/post/admin/admin_software_template.php
@@ -2,6 +2,8 @@
 
 // Software/License Templates
 
+defined('FROM_POST_HANDLER') || die("Direct file access is not allowed");
+
 // Import shared code from software-side tickets as we reuse functions
 require_once 'post/user/software.php';
 
diff --git a/post/admin/admin_tag.php b/post/admin/admin_tag.php
index bb3e8280..2602ebfb 100644
--- a/post/admin/admin_tag.php
+++ b/post/admin/admin_tag.php
@@ -4,6 +4,8 @@
  * ITFlow - GET/POST request handler for tagging
  */
 
+defined('FROM_POST_HANDLER') || die("Direct file access is not allowed");
+
 if (isset($_POST['add_tag'])) {
 
     require_once 'post/admin/admin_tag_model.php';
diff --git a/post/admin/admin_tag_model.php b/post/admin/admin_tag_model.php
index b7639f71..0380df8b 100644
--- a/post/admin/admin_tag_model.php
+++ b/post/admin/admin_tag_model.php
@@ -1,4 +1,6 @@
 <?php
+defined('FROM_POST_HANDLER') || die("Direct file access is not allowed");
+
 $name = sanitizeInput($_POST['name']);
 $type = intval($_POST['type']);
 $color = sanitizeInput($_POST['color']);
diff --git a/post/admin/admin_tax.php b/post/admin/admin_tax.php
index 76b39759..3fef08ce 100644
--- a/post/admin/admin_tax.php
+++ b/post/admin/admin_tax.php
@@ -4,6 +4,8 @@
  * ITFlow - GET/POST request handler for tax
  */
 
+defined('FROM_POST_HANDLER') || die("Direct file access is not allowed");
+
 if (isset($_POST['add_tax'])) {
 
     validateCSRFToken($_POST['csrf_token']);
diff --git a/post/admin/admin_ticket_status.php b/post/admin/admin_ticket_status.php
index 79b600cd..dce68dc1 100644
--- a/post/admin/admin_ticket_status.php
+++ b/post/admin/admin_ticket_status.php
@@ -1,5 +1,7 @@
 <?php
 
+defined('FROM_POST_HANDLER') || die("Direct file access is not allowed");
+
 if (isset($_POST['add_ticket_status'])) {
 
     $name = sanitizeInput($_POST['name']);
diff --git a/post/admin/admin_ticket_template.php b/post/admin/admin_ticket_template.php
index 428b1d16..49a99f92 100644
--- a/post/admin/admin_ticket_template.php
+++ b/post/admin/admin_ticket_template.php
@@ -2,6 +2,8 @@
 
 // Ticket Templates
 
+defined('FROM_POST_HANDLER') || die("Direct file access is not allowed");
+
 // Import shared code from user-side tickets/tasks as we reuse functions
 require_once 'post/user/ticket.php';
 require_once 'post/user/task.php';
diff --git a/post/admin_update.php b/post/admin/admin_update.php
similarity index 99%
rename from post/admin_update.php
rename to post/admin/admin_update.php
index 41e1ac42..3ffc53fd 100644
--- a/post/admin_update.php
+++ b/post/admin/admin_update.php
@@ -1,5 +1,7 @@
 <?php
 
+defined('FROM_POST_HANDLER') || die("Direct file access is not allowed");
+
 if (isset($_GET['update'])) {
 
     validateAdminRole(); // Old function
diff --git a/post/admin/admin_user.php b/post/admin/admin_user.php
index ca7042ae..e3b0f2d8 100644
--- a/post/admin/admin_user.php
+++ b/post/admin/admin_user.php
@@ -4,6 +4,8 @@
  * ITFlow - GET/POST request handler for user (agent) management
  */
 
+defined('FROM_POST_HANDLER') || die("Direct file access is not allowed");
+
 if (isset($_POST['add_user'])) {
 
     validateCSRFToken($_POST['csrf_token']);
diff --git a/post/admin/admin_user_model.php b/post/admin/admin_user_model.php
index 8b4b9eb2..4652af8a 100644
--- a/post/admin/admin_user_model.php
+++ b/post/admin/admin_user_model.php
@@ -1,4 +1,6 @@
 <?php
+defined('FROM_POST_HANDLER') || die("Direct file access is not allowed");
+
 $name = sanitizeInput($_POST['name']);
 $email = sanitizeInput($_POST['email']);
 $role = intval($_POST['role']);
diff --git a/post/admin/admin_vendor_template.php b/post/admin/admin_vendor_template.php
index 9f8c8b5b..cac2b103 100644
--- a/post/admin/admin_vendor_template.php
+++ b/post/admin/admin_vendor_template.php
@@ -2,6 +2,8 @@
 
 // Vendor Templates
 
+defined('FROM_POST_HANDLER') || die("Direct file access is not allowed");
+
 // Import shared code from user-side vendor management  as we reuse functions
 require_once 'post/user/vendor.php';
 
diff --git a/post/user/account.php b/post/user/account.php
index 11c69076..f507c4d7 100644
--- a/post/user/account.php
+++ b/post/user/account.php
@@ -4,6 +4,8 @@
  * ITFlow - GET/POST request handler for account(s) (accounting related)
  */
 
+defined('FROM_POST_HANDLER') || die("Direct file access is not allowed");
+
 if (isset($_POST['add_account'])) {
     enforceUserPermission('module_financial', 2);
     validateCSRFToken($_POST['csrf_token']);
diff --git a/post/user/asset.php b/post/user/asset.php
index bdb88883..778cea42 100644
--- a/post/user/asset.php
+++ b/post/user/asset.php
@@ -4,6 +4,8 @@
  * ITFlow - GET/POST request handler for client assets
  */
 
+defined('FROM_POST_HANDLER') || die("Direct file access is not allowed");
+
 if (isset($_POST['add_asset'])) {
 
     enforceUserPermission('module_support', 2);
diff --git a/post/user/asset_interface_model.php b/post/user/asset_interface_model.php
index 5c365685..67a1905a 100644
--- a/post/user/asset_interface_model.php
+++ b/post/user/asset_interface_model.php
@@ -1,4 +1,6 @@
 <?php
+defined('FROM_POST_HANDLER') || die("Direct file access is not allowed");
+
 $name = sanitizeInput($_POST['name']);
 $mac = sanitizeInput($_POST['mac']);
 $ip = sanitizeInput($_POST['ip']);
diff --git a/post/user/asset_model.php b/post/user/asset_model.php
index 88a25b8f..5289629f 100644
--- a/post/user/asset_model.php
+++ b/post/user/asset_model.php
@@ -1,4 +1,6 @@
 <?php
+defined('FROM_POST_HANDLER') || die("Direct file access is not allowed");
+
 $name = sanitizeInput($_POST['name']);
 $description = sanitizeInput($_POST['description']);
 $type = sanitizeInput($_POST['type']);
diff --git a/post/user/budget.php b/post/user/budget.php
index 61ba2aeb..59d77c68 100644
--- a/post/user/budget.php
+++ b/post/user/budget.php
@@ -4,6 +4,9 @@
  * ITFlow - GET/POST request handler for budget
  */
 
+defined('FROM_POST_HANDLER') || die("Direct file access is not allowed");
+
+
 if (isset($_POST['save_budget'])) {
 
     enforceUserPermission('module_financial', 2);
diff --git a/post/user/certificate.php b/post/user/certificate.php
index fc61918d..0a2a5eaa 100644
--- a/post/user/certificate.php
+++ b/post/user/certificate.php
@@ -4,6 +4,8 @@
  * ITFlow - GET/POST request handler for client SSL certificates
  */
 
+defined('FROM_POST_HANDLER') || die("Direct file access is not allowed");
+
 if (isset($_POST['add_certificate'])) {
 
     enforceUserPermission('module_support', 2);
diff --git a/post/user/certificate_model.php b/post/user/certificate_model.php
index 2fc171ec..4629b479 100644
--- a/post/user/certificate_model.php
+++ b/post/user/certificate_model.php
@@ -1,4 +1,6 @@
 <?php
+defined('FROM_POST_HANDLER') || die("Direct file access is not allowed");
+
 $name = sanitizeInput($_POST['name']);
 $description = sanitizeInput($_POST['description']);
 $domain = sanitizeInput($_POST['domain']);
diff --git a/post/user/client.php b/post/user/client.php
index 9d0a93c3..5bb9f525 100644
--- a/post/user/client.php
+++ b/post/user/client.php
@@ -4,6 +4,8 @@
  * ITFlow - GET/POST request handler for clients/customers (overview)
  */
 
+defined('FROM_POST_HANDLER') || die("Direct file access is not allowed");
+
 if (isset($_POST['add_client'])) {
 
     validateCSRFToken($_POST['csrf_token']);
diff --git a/post/user/client_model.php b/post/user/client_model.php
index 028d135e..00255d86 100644
--- a/post/user/client_model.php
+++ b/post/user/client_model.php
@@ -1,4 +1,6 @@
 <?php
+defined('FROM_POST_HANDLER') || die("Direct file access is not allowed");
+
 $name = sanitizeInput($_POST['name']);
 $type = sanitizeInput($_POST['type']);
 $website = preg_replace("(^https?://)", "", sanitizeInput($_POST['website']));
diff --git a/post/user/contact.php b/post/user/contact.php
index f1c4ce2f..fa625666 100644
--- a/post/user/contact.php
+++ b/post/user/contact.php
@@ -4,6 +4,8 @@
  * ITFlow - GET/POST request handler for client contacts
  */
 
+defined('FROM_POST_HANDLER') || die("Direct file access is not allowed");
+
 if (isset($_POST['add_contact'])) {
 
     enforceUserPermission('module_client', 2);
diff --git a/post/user/contact_model.php b/post/user/contact_model.php
index 6e0b2eae..cfc98732 100644
--- a/post/user/contact_model.php
+++ b/post/user/contact_model.php
@@ -1,4 +1,5 @@
 <?php
+defined('FROM_POST_HANDLER') || die("Direct file access is not allowed");
 
 $client_id = intval($_POST['client_id']);
 $name = sanitizeInput($_POST['name']);
diff --git a/post/user/credential.php b/post/user/credential.php
index 382736f6..20eec768 100644
--- a/post/user/credential.php
+++ b/post/user/credential.php
@@ -4,6 +4,8 @@
  * ITFlow - GET/POST request handler for client credentials (formerly logins)
  */
 
+defined('FROM_POST_HANDLER') || die("Direct file access is not allowed");
+
 if (isset($_POST['add_login'])) {
 
     enforceUserPermission('module_credential', 2);
diff --git a/post/user/credential_model.php b/post/user/credential_model.php
index e0c515bd..655a770d 100644
--- a/post/user/credential_model.php
+++ b/post/user/credential_model.php
@@ -1,5 +1,7 @@
 <?php
 // Model of reusable variables for client credentials/logins - not to be confused with the ITFLow login process
+defined('FROM_POST_HANDLER') || die("Direct file access is not allowed");
+
 $client_id = intval($_POST['client_id']);
 $name = sanitizeInput($_POST['name']);
 $description = sanitizeInput($_POST['description']);
diff --git a/post/user/document.php b/post/user/document.php
index 7459a0ce..9c831086 100644
--- a/post/user/document.php
+++ b/post/user/document.php
@@ -4,6 +4,8 @@
  * ITFlow - GET/POST request handler for client documents
  */
 
+defined('FROM_POST_HANDLER') || die("Direct file access is not allowed");
+
 if (isset($_POST['add_document'])) {
 
     enforceUserPermission('module_support', 2);
diff --git a/post/user/document_model.php b/post/user/document_model.php
index 7dd53031..dc1af5d6 100644
--- a/post/user/document_model.php
+++ b/post/user/document_model.php
@@ -1,4 +1,6 @@
 <?php
+defined('FROM_POST_HANDLER') || die("Direct file access is not allowed");
+
 $client_id = intval($_POST['client_id']);
 $name = sanitizeInput($_POST['name']);
 $folder = intval($_POST['folder']);
diff --git a/post/user/domain.php b/post/user/domain.php
index 8dd6aa50..4a8c7b08 100644
--- a/post/user/domain.php
+++ b/post/user/domain.php
@@ -4,6 +4,8 @@
  * ITFlow - GET/POST request handler for client domains
  */
 
+defined('FROM_POST_HANDLER') || die("Direct file access is not allowed");
+
 if (isset($_POST['add_domain'])) {
 
     enforceUserPermission('module_support', 2);
diff --git a/post/user/domain_model.php b/post/user/domain_model.php
index 2048e51e..13a79c57 100644
--- a/post/user/domain_model.php
+++ b/post/user/domain_model.php
@@ -1,4 +1,6 @@
 <?php
+defined('FROM_POST_HANDLER') || die("Direct file access is not allowed");
+
 $name = preg_replace("(^https?://)", "", sanitizeInput($_POST['name']));
 $description = sanitizeInput($_POST['description']);
 $registrar = intval($_POST['registrar']);
diff --git a/post/user/event.php b/post/user/event.php
index c3f842dc..de5bca54 100644
--- a/post/user/event.php
+++ b/post/user/event.php
@@ -4,6 +4,8 @@
  * ITFlow - GET/POST request handler for calendar & events
  */
 
+defined('FROM_POST_HANDLER') || die("Direct file access is not allowed");
+
 if (isset($_POST['add_calendar'])) {
 
     $name = sanitizeInput($_POST['name']);
diff --git a/post/user/event_model.php b/post/user/event_model.php
index d3f39b6d..a2719953 100644
--- a/post/user/event_model.php
+++ b/post/user/event_model.php
@@ -1,4 +1,6 @@
 <?php
+defined('FROM_POST_HANDLER') || die("Direct file access is not allowed");
+
 $calendar_id = intval($_POST['calendar']);
 $title = sanitizeInput($_POST['title']);
 $location = sanitizeInput($_POST['location']);
diff --git a/post/user/expense.php b/post/user/expense.php
index 96b2a5b2..9c3174fb 100644
--- a/post/user/expense.php
+++ b/post/user/expense.php
@@ -4,6 +4,8 @@
  * ITFlow - GET/POST request handler for expenses
  */
 
+defined('FROM_POST_HANDLER') || die("Direct file access is not allowed");
+
 if (isset($_POST['add_expense'])) {
 
     require_once 'post/user/expense_model.php';
diff --git a/post/user/expense_model.php b/post/user/expense_model.php
index 7224ebcf..fca5d58f 100644
--- a/post/user/expense_model.php
+++ b/post/user/expense_model.php
@@ -1,4 +1,6 @@
 <?php
+defined('FROM_POST_HANDLER') || die("Direct file access is not allowed");
+
 $date = sanitizeInput($_POST['date']);
 $amount = floatval($_POST['amount']);
 $account = intval($_POST['account']);
diff --git a/post/user/file.php b/post/user/file.php
index e9877239..3864e836 100644
--- a/post/user/file.php
+++ b/post/user/file.php
@@ -4,6 +4,8 @@
  * ITFlow - GET/POST request handler for client files/uploads
  */
 
+defined('FROM_POST_HANDLER') || die("Direct file access is not allowed");
+
 if (isset($_POST['upload_files'])) {
     
     enforceUserPermission('module_support', 2);    
diff --git a/post/user/folder.php b/post/user/folder.php
index df369966..ee43e1b2 100644
--- a/post/user/folder.php
+++ b/post/user/folder.php
@@ -4,6 +4,8 @@
  * ITFlow - GET/POST request handler for folders
  */
 
+defined('FROM_POST_HANDLER') || die("Direct file access is not allowed");
+
 if (isset($_POST['create_folder'])) {
 
     enforceUserPermission('module_support', 2);
diff --git a/post/user/invoice.php b/post/user/invoice.php
index 4c5cc95b..a02c0e63 100644
--- a/post/user/invoice.php
+++ b/post/user/invoice.php
@@ -4,6 +4,8 @@
  * ITFlow - GET/POST request handler for invoices & payments
  */
 
+defined('FROM_POST_HANDLER') || die("Direct file access is not allowed");
+
 if (isset($_POST['add_invoice'])) {
 
     require_once 'post/user/invoice_model.php';
diff --git a/post/user/invoice_model.php b/post/user/invoice_model.php
index 716c4894..81a9c4a1 100644
--- a/post/user/invoice_model.php
+++ b/post/user/invoice_model.php
@@ -1,4 +1,5 @@
 <?php
+defined('FROM_POST_HANDLER') || die("Direct file access is not allowed");
 
 $date = sanitizeInput($_POST['date']);
 $category = intval($_POST['category']);
diff --git a/post/user/location.php b/post/user/location.php
index fb0f2383..7e880615 100644
--- a/post/user/location.php
+++ b/post/user/location.php
@@ -4,6 +4,8 @@
  * ITFlow - GET/POST request handler for client physical locations/sites
  */
 
+defined('FROM_POST_HANDLER') || die("Direct file access is not allowed");
+
 if(isset($_POST['add_location'])){
 
     enforceUserPermission('module_client', 2);
diff --git a/post/user/location_model.php b/post/user/location_model.php
index 19f323aa..8b7780ed 100644
--- a/post/user/location_model.php
+++ b/post/user/location_model.php
@@ -1,4 +1,6 @@
 <?php
+defined('FROM_POST_HANDLER') || die("Direct file access is not allowed");
+
 $client_id = intval($_POST['client_id']);
 $name = sanitizeInput($_POST['name']);
 $description = sanitizeInput($_POST['description']);
diff --git a/post/user/network.php b/post/user/network.php
index f10c3b36..ac71cf70 100644
--- a/post/user/network.php
+++ b/post/user/network.php
@@ -4,6 +4,8 @@
  * ITFlow - GET/POST request handler for client networks
  */
 
+defined('FROM_POST_HANDLER') || die("Direct file access is not allowed");
+
 if (isset($_POST['add_network'])) {
 
     enforceUserPermission('module_support', 2);
diff --git a/post/user/network_model.php b/post/user/network_model.php
index 78839e11..a25f1b4d 100644
--- a/post/user/network_model.php
+++ b/post/user/network_model.php
@@ -1,4 +1,6 @@
 <?php
+defined('FROM_POST_HANDLER') || die("Direct file access is not allowed");
+
 $name = sanitizeInput($_POST['name']);
 $description = sanitizeInput($_POST['description']);
 $vlan = intval($_POST['vlan']);
diff --git a/post/user/product.php b/post/user/product.php
index a29506f4..68f6d5ab 100644
--- a/post/user/product.php
+++ b/post/user/product.php
@@ -4,6 +4,8 @@
  * ITFlow - GET/POST request handler for products
  */
 
+defined('FROM_POST_HANDLER') || die("Direct file access is not allowed");
+
 // Products
 if (isset($_POST['add_product'])) {
 
diff --git a/post/user/product_model.php b/post/user/product_model.php
index 61952a09..a9947a0c 100644
--- a/post/user/product_model.php
+++ b/post/user/product_model.php
@@ -1,4 +1,6 @@
 <?php
+defined('FROM_POST_HANDLER') || die("Direct file access is not allowed");
+
 $name = sanitizeInput($_POST['name']);
 $description = sanitizeInput($_POST['description']);
 $price = floatval($_POST['price']);
diff --git a/post/user/profile.php b/post/user/profile.php
index 379dee12..2b431729 100644
--- a/post/user/profile.php
+++ b/post/user/profile.php
@@ -4,6 +4,8 @@
  * ITFlow - GET/POST request handler for user profiles (tech/agent)
  */
 
+defined('FROM_POST_HANDLER') || die("Direct file access is not allowed");
+
 if (isset($_POST['edit_your_user_details'])) {
 
     // CSRF Check
diff --git a/post/user/project.php b/post/user/project.php
index 96521dc5..875781b7 100644
--- a/post/user/project.php
+++ b/post/user/project.php
@@ -4,6 +4,8 @@
  * ITFlow - GET/POST request handler for tasks
  */
 
+defined('FROM_POST_HANDLER') || die("Direct file access is not allowed");
+
 if (isset($_POST['add_project'])) {
 
     enforceUserPermission('module_support', 2);
diff --git a/post/user/quote.php b/post/user/quote.php
index d6b44c46..6251d44d 100644
--- a/post/user/quote.php
+++ b/post/user/quote.php
@@ -4,6 +4,8 @@
  * ITFlow - GET/POST request handler for quotes
  */
 
+defined('FROM_POST_HANDLER') || die("Direct file access is not allowed");
+
 if (isset($_POST['add_quote'])) {
 
     enforceUserPermission('module_sales', 2);
diff --git a/post/user/quote_model.php b/post/user/quote_model.php
index 1243a155..8d270809 100644
--- a/post/user/quote_model.php
+++ b/post/user/quote_model.php
@@ -1,4 +1,6 @@
 <?php
+defined('FROM_POST_HANDLER') || die("Direct file access is not allowed");
+
 $date = sanitizeInput($_POST['date']);
 $expire = sanitizeInput($_POST['expire']);
 $category = intval($_POST['category']);
diff --git a/post/user/rack.php b/post/user/rack.php
index 843c1f0e..50bfd1b8 100644
--- a/post/user/rack.php
+++ b/post/user/rack.php
@@ -4,6 +4,8 @@
  * ITFlow - GET/POST request handler for client racks
  */
 
+defined('FROM_POST_HANDLER') || die("Direct file access is not allowed");
+
 if (isset($_POST['add_rack'])) {
 
     enforceUserPermission('module_support', 2);
diff --git a/post/user/revenue.php b/post/user/revenue.php
index c8ec8598..47fa91bf 100644
--- a/post/user/revenue.php
+++ b/post/user/revenue.php
@@ -4,6 +4,8 @@
  * ITFlow - GET/POST request handler for revenue
  */
 
+defined('FROM_POST_HANDLER') || die("Direct file access is not allowed");
+
 if (isset($_POST['add_revenue'])) {
 
     enforceUserPermission('module_sales', 2);
diff --git a/post/user/service.php b/post/user/service.php
index 0dc87d44..9437da39 100644
--- a/post/user/service.php
+++ b/post/user/service.php
@@ -4,6 +4,8 @@
  * ITFlow - GET/POST request handler for client service info
  */
 
+defined('FROM_POST_HANDLER') || die("Direct file access is not allowed");
+
 if (isset($_POST['add_service'])) {
 
     enforceUserPermission('module_support', 2);
diff --git a/post/user/software.php b/post/user/software.php
index fcba2e4b..f12aa63c 100644
--- a/post/user/software.php
+++ b/post/user/software.php
@@ -4,6 +4,7 @@
  * ITFlow - GET/POST request handler for client software & licenses
  */
 
+defined('FROM_POST_HANDLER') || die("Direct file access is not allowed");
 
 if (isset($_POST['add_software_from_template'])) {
 
diff --git a/post/user/task.php b/post/user/task.php
index 8f31cdd5..3d74a51f 100644
--- a/post/user/task.php
+++ b/post/user/task.php
@@ -4,6 +4,8 @@
  * ITFlow - GET/POST request handler for tasks
  */
 
+defined('FROM_POST_HANDLER') || die("Direct file access is not allowed");
+
 if (isset($_POST['add_task'])) {
 
     enforceUserPermission('module_support', 2);
diff --git a/post/user/ticket.php b/post/user/ticket.php
index 4e8db736..706f7a82 100644
--- a/post/user/ticket.php
+++ b/post/user/ticket.php
@@ -4,6 +4,8 @@
  * ITFlow - GET/POST request handler for client tickets
  */
 
+defined('FROM_POST_HANDLER') || die("Direct file access is not allowed");
+
 if (isset($_POST['add_ticket'])) {
 
     enforceUserPermission('module_support', 2);
diff --git a/post/user/ticket_recurring_model.php b/post/user/ticket_recurring_model.php
index 26f8fe0f..038c7fc3 100644
--- a/post/user/ticket_recurring_model.php
+++ b/post/user/ticket_recurring_model.php
@@ -1,4 +1,5 @@
 <?php
+defined('FROM_POST_HANDLER') || die("Direct file access is not allowed");
 
 $client_id = intval($_POST['client']);
 $subject = sanitizeInput($_POST['subject']);
diff --git a/post/user/transfer.php b/post/user/transfer.php
index b5d57b12..73128479 100644
--- a/post/user/transfer.php
+++ b/post/user/transfer.php
@@ -4,6 +4,8 @@
  * ITFlow - GET/POST request handler for transfers (accounting)
  */
 
+defined('FROM_POST_HANDLER') || die("Direct file access is not allowed");
+
 if (isset($_POST['add_transfer'])) {
 
     enforceUserPermission('module_financial', 2);
diff --git a/post/user/transfer_model.php b/post/user/transfer_model.php
index 9c6b4e19..71c55e36 100644
--- a/post/user/transfer_model.php
+++ b/post/user/transfer_model.php
@@ -1,4 +1,6 @@
 <?php
+defined('FROM_POST_HANDLER') || die("Direct file access is not allowed");
+
 $date = sanitizeInput($_POST['date']);
 $amount = floatval($_POST['amount']);
 $account_from = intval($_POST['account_from']);
diff --git a/post/user/trip.php b/post/user/trip.php
index 6720876b..ec083f15 100644
--- a/post/user/trip.php
+++ b/post/user/trip.php
@@ -4,6 +4,8 @@
  * ITFlow - GET/POST request handler for trips (accounting related)
  */
 
+defined('FROM_POST_HANDLER') || die("Direct file access is not allowed");
+
 if (isset($_POST['add_trip'])) {
 
     require_once 'post/user/trip_model.php';
diff --git a/post/user/trip_model.php b/post/user/trip_model.php
index ada58975..99b25803 100644
--- a/post/user/trip_model.php
+++ b/post/user/trip_model.php
@@ -1,4 +1,6 @@
 <?php
+defined('FROM_POST_HANDLER') || die("Direct file access is not allowed");
+
 $date = sanitizeInput($_POST['date']);
 $source = sanitizeInput($_POST['source']);
 $destination = sanitizeInput($_POST['destination']);
diff --git a/post/user/vendor.php b/post/user/vendor.php
index bdcee359..1c7ff4b5 100644
--- a/post/user/vendor.php
+++ b/post/user/vendor.php
@@ -4,6 +4,8 @@
  * ITFlow - GET/POST request handler for vendors
  */
 
+defined('FROM_POST_HANDLER') || die("Direct file access is not allowed");
+
 if (isset($_POST['add_vendor_from_template'])) {
 
     // GET POST Data
diff --git a/post/user/vendor_contact.php b/post/user/vendor_contact.php
index e3aa593f..63dd75ec 100644
--- a/post/user/vendor_contact.php
+++ b/post/user/vendor_contact.php
@@ -4,6 +4,8 @@
  * ITFlow - GET/POST request handler for vendor contacts
  */
 
+defined('FROM_POST_HANDLER') || die("Direct file access is not allowed");
+
 if (isset($_POST['add_vendor_contact'])) {
 
     enforceUserPermission('module_client', 2);
diff --git a/post/user/vendor_contact_model.php b/post/user/vendor_contact_model.php
index bb1642a9..76328aa7 100644
--- a/post/user/vendor_contact_model.php
+++ b/post/user/vendor_contact_model.php
@@ -1,4 +1,5 @@
 <?php
+defined('FROM_POST_HANDLER') || die("Direct file access is not allowed");
 
 $client_id = intval($_POST['client_id']);
 $vendor_id = intval($_POST['vendor_id']);
diff --git a/post/user/vendor_model.php b/post/user/vendor_model.php
index a62795e7..175915fd 100644
--- a/post/user/vendor_model.php
+++ b/post/user/vendor_model.php
@@ -1,4 +1,6 @@
 <?php
+defined('FROM_POST_HANDLER') || die("Direct file access is not allowed");
+
 $name = sanitizeInput($_POST['name']);
 $description = sanitizeInput($_POST['description']);
 $account_number = sanitizeInput($_POST['account_number']);