Revenues: Add missing CSRF checks

2026-03-11 00:04:50 +00:00 · 2026-03-01 22:42:37 -05:00
parent f653752026
commit af1ebfea41
4 changed files with 9 additions and 1 deletions
--- a/agent/modals/revenue/revenue_add.php
+++ b/agent/modals/revenue/revenue_add.php
@@ -12,6 +12,7 @@ ob_start();
    </button>
 </div>
 <form action="post.php" method="post" autocomplete="off">
+    <input type="hidden" name="csrf_token" value="<?= $_SESSION['csrf_token'] ?>">
    <div class="modal-body">

        <div class="form-row">
--- a/agent/modals/revenue/revenue_edit.php
+++ b/agent/modals/revenue/revenue_edit.php
@@ -28,6 +28,7 @@ ob_start();
    </button>
 </div>
 <form action="post.php" method="post" autocomplete="off">
+    <input type="hidden" name="csrf_token" value="<?= $_SESSION['csrf_token'] ?>">
    <input type="hidden" name="revenue_id" value="<?php echo $revenue_id; ?>">
    <div class="modal-body">

--- a/agent/post/revenue.php
+++ b/agent/post/revenue.php
@@ -8,6 +8,8 @@ defined('FROM_POST_HANDLER') || die("Direct file access is not allowed");

 if (isset($_POST['add_revenue'])) {

+    validateCSRFToken($_POST['csrf_token']);
+
    enforceUserPermission('module_sales', 2);

    $date = sanitizeInput($_POST['date']);
@@ -32,6 +34,8 @@ if (isset($_POST['add_revenue'])) {

 if (isset($_POST['edit_revenue'])) {

+    validateCSRFToken($_POST['csrf_token']);
+
    enforceUserPermission('module_sales', 2);

    $revenue_id = intval($_POST['revenue_id']);
@@ -55,6 +59,8 @@ if (isset($_POST['edit_revenue'])) {

 if (isset($_GET['delete_revenue'])) {

+    validateCSRFToken($_GET['csrf_token']);
+
    enforceUserPermission('module_sales', 3);

    $revenue_id = intval($_GET['delete_revenue']);
--- a/agent/revenues.php
+++ b/agent/revenues.php
@@ -145,7 +145,7 @@ $num_rows = mysqli_fetch_row(mysqli_query($mysqli, "SELECT FOUND_ROWS()"));
                                        <i class="fas fa-fw fa-edit mr-2"></i>Edit
                                    </a>
                                    <div class="dropdown-divider"></div>
-                                    <a class="dropdown-item text-danger text-bold confirm-link" href="post.php?delete_revenue=<?php echo $revenue_id; ?>">
+                                    <a class="dropdown-item text-danger text-bold confirm-link" href="post.php?delete_revenue=<?= $revenue_id ?>&csrf_token=<?= $_SESSION['csrf_token'] ?>">
                                        <i class="fas fa-fw fa-trash mr-2"></i>Delete
                                    </a>
                                </div>