Prevent post pages being accessed directly

2026-02-28 02:44:53 +00:00 · 2025-01-09 16:09:39 +00:00
parent ec54b28b02
commit a67de7a8f1
91 changed files with 190 additions and 16 deletions
--- a/post/user/account.php
+++ b/post/user/account.php
@@ -4,6 +4,8 @@
 * ITFlow - GET/POST request handler for account(s) (accounting related)
 */

+defined('FROM_POST_HANDLER') || die("Direct file access is not allowed");
+
 if (isset($_POST['add_account'])) {
    enforceUserPermission('module_financial', 2);
    validateCSRFToken($_POST['csrf_token']);
--- a/post/user/asset.php
+++ b/post/user/asset.php
@@ -4,6 +4,8 @@
 * ITFlow - GET/POST request handler for client assets
 */

+defined('FROM_POST_HANDLER') || die("Direct file access is not allowed");
+
 if (isset($_POST['add_asset'])) {

    enforceUserPermission('module_support', 2);
--- a/post/user/asset_interface_model.php
+++ b/post/user/asset_interface_model.php
@@ -1,4 +1,6 @@
 <?php
+defined('FROM_POST_HANDLER') || die("Direct file access is not allowed");
+
 $name = sanitizeInput($_POST['name']);
 $mac = sanitizeInput($_POST['mac']);
 $ip = sanitizeInput($_POST['ip']);
--- a/post/user/asset_model.php
+++ b/post/user/asset_model.php
@@ -1,4 +1,6 @@
 <?php
+defined('FROM_POST_HANDLER') || die("Direct file access is not allowed");
+
 $name = sanitizeInput($_POST['name']);
 $description = sanitizeInput($_POST['description']);
 $type = sanitizeInput($_POST['type']);
--- a/post/user/budget.php
+++ b/post/user/budget.php
@@ -4,6 +4,9 @@
 * ITFlow - GET/POST request handler for budget
 */

+defined('FROM_POST_HANDLER') || die("Direct file access is not allowed");
+
+
 if (isset($_POST['save_budget'])) {

    enforceUserPermission('module_financial', 2);
--- a/post/user/certificate.php
+++ b/post/user/certificate.php
@@ -4,6 +4,8 @@
 * ITFlow - GET/POST request handler for client SSL certificates
 */

+defined('FROM_POST_HANDLER') || die("Direct file access is not allowed");
+
 if (isset($_POST['add_certificate'])) {

    enforceUserPermission('module_support', 2);
--- a/post/user/certificate_model.php
+++ b/post/user/certificate_model.php
@@ -1,4 +1,6 @@
 <?php
+defined('FROM_POST_HANDLER') || die("Direct file access is not allowed");
+
 $name = sanitizeInput($_POST['name']);
 $description = sanitizeInput($_POST['description']);
 $domain = sanitizeInput($_POST['domain']);
--- a/post/user/client.php
+++ b/post/user/client.php
@@ -4,6 +4,8 @@
 * ITFlow - GET/POST request handler for clients/customers (overview)
 */

+defined('FROM_POST_HANDLER') || die("Direct file access is not allowed");
+
 if (isset($_POST['add_client'])) {

    validateCSRFToken($_POST['csrf_token']);
--- a/post/user/client_model.php
+++ b/post/user/client_model.php
@@ -1,4 +1,6 @@
 <?php
+defined('FROM_POST_HANDLER') || die("Direct file access is not allowed");
+
 $name = sanitizeInput($_POST['name']);
 $type = sanitizeInput($_POST['type']);
 $website = preg_replace("(^https?://)", "", sanitizeInput($_POST['website']));
--- a/post/user/contact.php
+++ b/post/user/contact.php
@@ -4,6 +4,8 @@
 * ITFlow - GET/POST request handler for client contacts
 */

+defined('FROM_POST_HANDLER') || die("Direct file access is not allowed");
+
 if (isset($_POST['add_contact'])) {

    enforceUserPermission('module_client', 2);
--- a/post/user/contact_model.php
+++ b/post/user/contact_model.php
@@ -1,4 +1,5 @@
 <?php
+defined('FROM_POST_HANDLER') || die("Direct file access is not allowed");

 $client_id = intval($_POST['client_id']);
 $name = sanitizeInput($_POST['name']);
--- a/post/user/credential.php
+++ b/post/user/credential.php
@@ -4,6 +4,8 @@
 * ITFlow - GET/POST request handler for client credentials (formerly logins)
 */

+defined('FROM_POST_HANDLER') || die("Direct file access is not allowed");
+
 if (isset($_POST['add_login'])) {

    enforceUserPermission('module_credential', 2);
--- a/post/user/credential_model.php
+++ b/post/user/credential_model.php
@@ -1,5 +1,7 @@
 <?php
 // Model of reusable variables for client credentials/logins - not to be confused with the ITFLow login process
+defined('FROM_POST_HANDLER') || die("Direct file access is not allowed");
+
 $client_id = intval($_POST['client_id']);
 $name = sanitizeInput($_POST['name']);
 $description = sanitizeInput($_POST['description']);
--- a/post/user/document.php
+++ b/post/user/document.php
@@ -4,6 +4,8 @@
 * ITFlow - GET/POST request handler for client documents
 */

+defined('FROM_POST_HANDLER') || die("Direct file access is not allowed");
+
 if (isset($_POST['add_document'])) {

    enforceUserPermission('module_support', 2);
--- a/post/user/document_model.php
+++ b/post/user/document_model.php
@@ -1,4 +1,6 @@
 <?php
+defined('FROM_POST_HANDLER') || die("Direct file access is not allowed");
+
 $client_id = intval($_POST['client_id']);
 $name = sanitizeInput($_POST['name']);
 $folder = intval($_POST['folder']);
--- a/post/user/domain.php
+++ b/post/user/domain.php
@@ -4,6 +4,8 @@
 * ITFlow - GET/POST request handler for client domains
 */

+defined('FROM_POST_HANDLER') || die("Direct file access is not allowed");
+
 if (isset($_POST['add_domain'])) {

    enforceUserPermission('module_support', 2);
--- a/post/user/domain_model.php
+++ b/post/user/domain_model.php
@@ -1,4 +1,6 @@
 <?php
+defined('FROM_POST_HANDLER') || die("Direct file access is not allowed");
+
 $name = preg_replace("(^https?://)", "", sanitizeInput($_POST['name']));
 $description = sanitizeInput($_POST['description']);
 $registrar = intval($_POST['registrar']);
--- a/post/user/event.php
+++ b/post/user/event.php
@@ -4,6 +4,8 @@
 * ITFlow - GET/POST request handler for calendar & events
 */

+defined('FROM_POST_HANDLER') || die("Direct file access is not allowed");
+
 if (isset($_POST['add_calendar'])) {

    $name = sanitizeInput($_POST['name']);
--- a/post/user/event_model.php
+++ b/post/user/event_model.php
@@ -1,4 +1,6 @@
 <?php
+defined('FROM_POST_HANDLER') || die("Direct file access is not allowed");
+
 $calendar_id = intval($_POST['calendar']);
 $title = sanitizeInput($_POST['title']);
 $location = sanitizeInput($_POST['location']);
--- a/post/user/expense.php
+++ b/post/user/expense.php
@@ -4,6 +4,8 @@
 * ITFlow - GET/POST request handler for expenses
 */

+defined('FROM_POST_HANDLER') || die("Direct file access is not allowed");
+
 if (isset($_POST['add_expense'])) {

    require_once 'post/user/expense_model.php';
--- a/post/user/expense_model.php
+++ b/post/user/expense_model.php
@@ -1,4 +1,6 @@
 <?php
+defined('FROM_POST_HANDLER') || die("Direct file access is not allowed");
+
 $date = sanitizeInput($_POST['date']);
 $amount = floatval($_POST['amount']);
 $account = intval($_POST['account']);
--- a/post/user/file.php
+++ b/post/user/file.php
@@ -4,6 +4,8 @@
 * ITFlow - GET/POST request handler for client files/uploads
 */

+defined('FROM_POST_HANDLER') || die("Direct file access is not allowed");
+
 if (isset($_POST['upload_files'])) {
    
    enforceUserPermission('module_support', 2);    
--- a/post/user/folder.php
+++ b/post/user/folder.php
@@ -4,6 +4,8 @@
 * ITFlow - GET/POST request handler for folders
 */

+defined('FROM_POST_HANDLER') || die("Direct file access is not allowed");
+
 if (isset($_POST['create_folder'])) {

    enforceUserPermission('module_support', 2);
--- a/post/user/invoice.php
+++ b/post/user/invoice.php
@@ -4,6 +4,8 @@
 * ITFlow - GET/POST request handler for invoices & payments
 */

+defined('FROM_POST_HANDLER') || die("Direct file access is not allowed");
+
 if (isset($_POST['add_invoice'])) {

    require_once 'post/user/invoice_model.php';
--- a/post/user/invoice_model.php
+++ b/post/user/invoice_model.php
@@ -1,4 +1,5 @@
 <?php
+defined('FROM_POST_HANDLER') || die("Direct file access is not allowed");

 $date = sanitizeInput($_POST['date']);
 $category = intval($_POST['category']);
--- a/post/user/location.php
+++ b/post/user/location.php
@@ -4,6 +4,8 @@
 * ITFlow - GET/POST request handler for client physical locations/sites
 */

+defined('FROM_POST_HANDLER') || die("Direct file access is not allowed");
+
 if(isset($_POST['add_location'])){

    enforceUserPermission('module_client', 2);
--- a/post/user/location_model.php
+++ b/post/user/location_model.php
@@ -1,4 +1,6 @@
 <?php
+defined('FROM_POST_HANDLER') || die("Direct file access is not allowed");
+
 $client_id = intval($_POST['client_id']);
 $name = sanitizeInput($_POST['name']);
 $description = sanitizeInput($_POST['description']);
--- a/post/user/network.php
+++ b/post/user/network.php
@@ -4,6 +4,8 @@
 * ITFlow - GET/POST request handler for client networks
 */

+defined('FROM_POST_HANDLER') || die("Direct file access is not allowed");
+
 if (isset($_POST['add_network'])) {

    enforceUserPermission('module_support', 2);
--- a/post/user/network_model.php
+++ b/post/user/network_model.php
@@ -1,4 +1,6 @@
 <?php
+defined('FROM_POST_HANDLER') || die("Direct file access is not allowed");
+
 $name = sanitizeInput($_POST['name']);
 $description = sanitizeInput($_POST['description']);
 $vlan = intval($_POST['vlan']);
--- a/post/user/product.php
+++ b/post/user/product.php
@@ -4,6 +4,8 @@
 * ITFlow - GET/POST request handler for products
 */

+defined('FROM_POST_HANDLER') || die("Direct file access is not allowed");
+
 // Products
 if (isset($_POST['add_product'])) {

--- a/post/user/product_model.php
+++ b/post/user/product_model.php
@@ -1,4 +1,6 @@
 <?php
+defined('FROM_POST_HANDLER') || die("Direct file access is not allowed");
+
 $name = sanitizeInput($_POST['name']);
 $description = sanitizeInput($_POST['description']);
 $price = floatval($_POST['price']);
--- a/post/user/profile.php
+++ b/post/user/profile.php
@@ -4,6 +4,8 @@
 * ITFlow - GET/POST request handler for user profiles (tech/agent)
 */

+defined('FROM_POST_HANDLER') || die("Direct file access is not allowed");
+
 if (isset($_POST['edit_your_user_details'])) {

    // CSRF Check
--- a/post/user/project.php
+++ b/post/user/project.php
@@ -4,6 +4,8 @@
 * ITFlow - GET/POST request handler for tasks
 */

+defined('FROM_POST_HANDLER') || die("Direct file access is not allowed");
+
 if (isset($_POST['add_project'])) {

    enforceUserPermission('module_support', 2);
--- a/post/user/quote.php
+++ b/post/user/quote.php
@@ -4,6 +4,8 @@
 * ITFlow - GET/POST request handler for quotes
 */

+defined('FROM_POST_HANDLER') || die("Direct file access is not allowed");
+
 if (isset($_POST['add_quote'])) {

    enforceUserPermission('module_sales', 2);
--- a/post/user/quote_model.php
+++ b/post/user/quote_model.php
@@ -1,4 +1,6 @@
 <?php
+defined('FROM_POST_HANDLER') || die("Direct file access is not allowed");
+
 $date = sanitizeInput($_POST['date']);
 $expire = sanitizeInput($_POST['expire']);
 $category = intval($_POST['category']);
--- a/post/user/rack.php
+++ b/post/user/rack.php
@@ -4,6 +4,8 @@
 * ITFlow - GET/POST request handler for client racks
 */

+defined('FROM_POST_HANDLER') || die("Direct file access is not allowed");
+
 if (isset($_POST['add_rack'])) {

    enforceUserPermission('module_support', 2);
--- a/post/user/revenue.php
+++ b/post/user/revenue.php
@@ -4,6 +4,8 @@
 * ITFlow - GET/POST request handler for revenue
 */

+defined('FROM_POST_HANDLER') || die("Direct file access is not allowed");
+
 if (isset($_POST['add_revenue'])) {

    enforceUserPermission('module_sales', 2);
--- a/post/user/service.php
+++ b/post/user/service.php
@@ -4,6 +4,8 @@
 * ITFlow - GET/POST request handler for client service info
 */

+defined('FROM_POST_HANDLER') || die("Direct file access is not allowed");
+
 if (isset($_POST['add_service'])) {

    enforceUserPermission('module_support', 2);
--- a/post/user/software.php
+++ b/post/user/software.php
@@ -4,6 +4,7 @@
 * ITFlow - GET/POST request handler for client software & licenses
 */

+defined('FROM_POST_HANDLER') || die("Direct file access is not allowed");

 if (isset($_POST['add_software_from_template'])) {

--- a/post/user/task.php
+++ b/post/user/task.php
@@ -4,6 +4,8 @@
 * ITFlow - GET/POST request handler for tasks
 */

+defined('FROM_POST_HANDLER') || die("Direct file access is not allowed");
+
 if (isset($_POST['add_task'])) {

    enforceUserPermission('module_support', 2);
--- a/post/user/ticket.php
+++ b/post/user/ticket.php
@@ -4,6 +4,8 @@
 * ITFlow - GET/POST request handler for client tickets
 */

+defined('FROM_POST_HANDLER') || die("Direct file access is not allowed");
+
 if (isset($_POST['add_ticket'])) {

    enforceUserPermission('module_support', 2);
--- a/post/user/ticket_recurring_model.php
+++ b/post/user/ticket_recurring_model.php
@@ -1,4 +1,5 @@
 <?php
+defined('FROM_POST_HANDLER') || die("Direct file access is not allowed");

 $client_id = intval($_POST['client']);
 $subject = sanitizeInput($_POST['subject']);
--- a/post/user/transfer.php
+++ b/post/user/transfer.php
@@ -4,6 +4,8 @@
 * ITFlow - GET/POST request handler for transfers (accounting)
 */

+defined('FROM_POST_HANDLER') || die("Direct file access is not allowed");
+
 if (isset($_POST['add_transfer'])) {

    enforceUserPermission('module_financial', 2);
--- a/post/user/transfer_model.php
+++ b/post/user/transfer_model.php
@@ -1,4 +1,6 @@
 <?php
+defined('FROM_POST_HANDLER') || die("Direct file access is not allowed");
+
 $date = sanitizeInput($_POST['date']);
 $amount = floatval($_POST['amount']);
 $account_from = intval($_POST['account_from']);
--- a/post/user/trip.php
+++ b/post/user/trip.php
@@ -4,6 +4,8 @@
 * ITFlow - GET/POST request handler for trips (accounting related)
 */

+defined('FROM_POST_HANDLER') || die("Direct file access is not allowed");
+
 if (isset($_POST['add_trip'])) {

    require_once 'post/user/trip_model.php';
--- a/post/user/trip_model.php
+++ b/post/user/trip_model.php
@@ -1,4 +1,6 @@
 <?php
+defined('FROM_POST_HANDLER') || die("Direct file access is not allowed");
+
 $date = sanitizeInput($_POST['date']);
 $source = sanitizeInput($_POST['source']);
 $destination = sanitizeInput($_POST['destination']);
--- a/post/user/vendor.php
+++ b/post/user/vendor.php
@@ -4,6 +4,8 @@
 * ITFlow - GET/POST request handler for vendors
 */

+defined('FROM_POST_HANDLER') || die("Direct file access is not allowed");
+
 if (isset($_POST['add_vendor_from_template'])) {

    // GET POST Data
--- a/post/user/vendor_contact.php
+++ b/post/user/vendor_contact.php
@@ -4,6 +4,8 @@
 * ITFlow - GET/POST request handler for vendor contacts
 */

+defined('FROM_POST_HANDLER') || die("Direct file access is not allowed");
+
 if (isset($_POST['add_vendor_contact'])) {

    enforceUserPermission('module_client', 2);
--- a/post/user/vendor_contact_model.php
+++ b/post/user/vendor_contact_model.php
@@ -1,4 +1,5 @@
 <?php
+defined('FROM_POST_HANDLER') || die("Direct file access is not allowed");

 $client_id = intval($_POST['client_id']);
 $vendor_id = intval($_POST['vendor_id']);
--- a/post/user/vendor_model.php
+++ b/post/user/vendor_model.php
@@ -1,4 +1,6 @@
 <?php
+defined('FROM_POST_HANDLER') || die("Direct file access is not allowed");
+
 $name = sanitizeInput($_POST['name']);
 $description = sanitizeInput($_POST['description']);
 $account_number = sanitizeInput($_POST['account_number']);