Add CSRF Checks on Agent ajax endpoints that would update / delete or add something to the db

admin/ticket_template_details.php

@@ -148,6 +148,7 @@ new Sortable(document.querySelector('table#tasks tbody'), {
 
         $.post('/agent/ajax.php', {
             update_task_templates_order: true,
+            csrf_token: '<?= $_SESSION['csrf_token'] ?>',
             ticket_template_id: <?php echo $ticket_template_id; ?>,
             positions: positions
         });

agent/ajax.php

@@ -41,6 +41,9 @@ if (isset($_GET['certificate_fetch_parse_json_details'])) {
 }
 
 if (isset($_POST['client_set_notes'])) {
+
+    validateCSRFToken($_POST['csrf_token']);
+
     enforceUserPermission('module_client', 2);
 
     $client_id = intval($_POST['client_id']);
@@ -55,6 +58,9 @@ if (isset($_POST['client_set_notes'])) {
 }
 
 if (isset($_POST['contact_set_notes'])) {
+
+    validateCSRFToken($_POST['csrf_token']);
+
     enforceUserPermission('module_client', 2);
 
     $contact_id = intval($_POST['contact_id']);
@@ -77,6 +83,9 @@ if (isset($_POST['contact_set_notes'])) {
 }
 
 if (isset($_POST['asset_set_notes'])) {
+
+    validateCSRFToken($_POST['csrf_token']);
+
     enforceUserPermission('module_support', 2);
 
     $asset_id = intval($_POST['asset_id']);
@@ -143,6 +152,9 @@ if (isset($_GET['ticket_query_views'])) {
  * Generates public/guest links for sharing credentials/docs
  */
 if (isset($_GET['share_generate_link'])) {
+
+    validateCSRFToken($_GET['csrf_token']);
+
     enforceUserPermission('module_support', 2);
 
     $item_encrypted_username = '';  // Default empty
@@ -558,6 +570,9 @@ if (isset($_POST['update_kanban_ticket'])) {
 
 if (isset($_POST['update_ticket_tasks_order'])) {
     // Update multiple ticket tasks order
+
+    validateCSRFToken($_POST['csrf_token']);
+
     enforceUserPermission('module_support', 2);
 
     $positions = $_POST['positions'];
@@ -577,6 +592,9 @@ if (isset($_POST['update_ticket_tasks_order'])) {
 
 if (isset($_POST['update_task_templates_order'])) {
     // Update multiple task templates order
+
+    validateCSRFToken($_POST['csrf_token']);
+
     enforceUserPermission('module_support', 2);
 
     $positions = $_POST['positions'];
@@ -596,6 +614,9 @@ if (isset($_POST['update_task_templates_order'])) {
 
 if (isset($_POST['update_quote_items_order'])) {
     // Update multiple quote items order
+
+    validateCSRFToken($_POST['csrf_token']);
+
     enforceUserPermission('module_sales', 2);
 
     $positions = $_POST['positions'];
@@ -615,6 +636,9 @@ if (isset($_POST['update_quote_items_order'])) {
 
 if (isset($_POST['update_invoice_items_order'])) {
     // Update multiple invoice items order
+
+    validateCSRFToken($_POST['csrf_token']);
+
     enforceUserPermission('module_sales', 2);
 
     $positions = $_POST['positions'];
@@ -634,6 +658,9 @@ if (isset($_POST['update_invoice_items_order'])) {
 
 if (isset($_POST['update_recurring_invoice_items_order'])) {
     // Update multiple recurring invoice items order
+
+    validateCSRFToken($_POST['csrf_token']);
+
     enforceUserPermission('module_sales', 2);
 
     $positions = $_POST['positions'];

agent/asset_details.php

@@ -1231,6 +1231,7 @@ if (isset($_GET['asset_id'])) {
                 "ajax.php",
                 {
                     asset_set_notes: 'TRUE',
+                    csrf_token: '<?= $_SESSION['csrf_token'] ?>',
                     asset_id: asset_id,
                     notes: notes
                 }

agent/client_overview.php

@@ -812,6 +812,7 @@ $sql_asset_retired = mysqli_query(
             "ajax.php",
             {
                 client_set_notes: 'TRUE',
+                csrf_token: '<?= $_SESSION['csrf_token'] ?>',
                 client_id: client_id,
                 notes: notes
             }

agent/contact_details.php

@@ -1171,6 +1171,7 @@ if (isset($_GET['contact_id'])) {
                 "ajax.php",
                 {
                     contact_set_notes: 'TRUE',
+                    csrf_token: '<?= $_SESSION['csrf_token'] ?>',
                     contact_id: contact_id,
                     notes: notes
                 }

agent/invoice.php

@@ -817,6 +817,7 @@ new Sortable(document.querySelector('table#items tbody'), {
 
         $.post('ajax.php', {
             update_invoice_items_order: true,
+            csrf_token: '<?= $_SESSION['csrf_token'] ?>',
             invoice_id: <?php echo $invoice_id; ?>,
             positions: positions
         });

agent/js/share_modal.js

@@ -23,6 +23,7 @@ function populateShareModal(client_id, item_type, item_ref_id) {
 }
 
 function generateShareLink() {
+    let csrf_token = document.getElementById("csrf_token").value;
     let client_id = document.getElementById("share_client_id").value;
     let item_type = document.getElementById("share_item_type").value;
     let item_ref_id = document.getElementById("share_item_ref_id").value;
@@ -36,7 +37,7 @@ function generateShareLink() {
         // Send a GET request to ajax.php as ajax.php?share_generate_link=true....
         jQuery.get(
             "ajax.php",
-            {share_generate_link: 'true', client_id: client_id, type: item_type, id: item_ref_id, note: item_note ,views: item_views, expires: item_expires, contact_email},
+            {share_generate_link: 'true', csrf_token: csrf_token, client_id: client_id, type: item_type, id: item_ref_id, note: item_note ,views: item_views, expires: item_expires, contact_email},
             function(data) {
 
                 // If we get a response from ajax.php, parse it as JSON

agent/modals/asset/asset_details.php

@@ -408,6 +408,7 @@ ob_start();
                     "ajax.php",
                     {
                         asset_set_notes: 'TRUE',
+                        csrf_token: '<?= $_SESSION['csrf_token'] ?>',
                         asset_id: asset_id,
                         notes: notes
                     }

agent/modals/share_modal.php

@@ -10,6 +10,7 @@
                 </button>
             </div>
             <form action="ajax.php" method="GET" id="newShareLink">
+                <input type="hidden" name="csrf_token" id="csrf_token" value="<?= $_SESSION['csrf_token'] ?>">
                 <input type="hidden" name="client_id" id="share_client_id" value="">
                 <input type="hidden" name="item_type" id="share_item_type" value="">
                 <input type="hidden" name="item_ref_id" id="share_item_ref_id" value="">

agent/quote.php

@@ -616,7 +616,8 @@ new Sortable(document.querySelector('table#items tbody'), {
 
         $.post('ajax.php', {
             update_quote_items_order: true,
-            quote_id: <?php echo $quote_id; ?>,
+            csrf_token: '<?= $_SESSION['csrf_token'] ?>',
+            quote_id: <?= $quote_id ?>,
             positions: positions
         });
     }

agent/recurring_invoice.php

@@ -516,6 +516,7 @@ new Sortable(document.querySelector('table#items tbody'), {
 
         $.post('ajax.php', {
             update_recurring_invoice_items_order: true,
+            csrf_token: '<?= $_SESSION['csrf_token'] ?>',
             recurring_invoice_id: <?php echo $recurring_invoice_id; ?>,
             positions: positions
         });

agent/ticket.php

@@ -1346,6 +1346,7 @@ new Sortable(document.querySelector('table#tasks tbody'), {
 
         $.post('ajax.php', {
             update_ticket_tasks_order: true,
+            csrf_token: '<?= $_SESSION['csrf_token'] ?>',
             ticket_id: <?php echo $ticket_id; ?>,
             positions: positions
         });

guest/guest_view_item.php

@@ -231,7 +231,7 @@ if ($item_type == "Document") {
         function showOTP(id, secret) {
             //Send a GET request to ajax.php as guest_ajax.php?get_totp_token=true&totp_secret=SECRET
             jQuery.get(
-                "guest_ajax.php",
+                "/agent/ajax.php",
                 {get_totp_token: 'true', totp_secret: secret},
                 function(data) {
                     //If we get a response from post.php, parse it as JSON