diff --git a/agent/modals/revenue/revenue_add.php b/agent/modals/revenue/revenue_add.php index 5ea77f56..cdcd9b34 100644 --- a/agent/modals/revenue/revenue_add.php +++ b/agent/modals/revenue/revenue_add.php @@ -12,6 +12,7 @@ ob_start();
+
diff --git a/agent/modals/revenue/revenue_edit.php b/agent/modals/revenue/revenue_edit.php index 8b53f7b6..970317cb 100644 --- a/agent/modals/revenue/revenue_edit.php +++ b/agent/modals/revenue/revenue_edit.php @@ -28,6 +28,7 @@ ob_start();
+
diff --git a/agent/post/revenue.php b/agent/post/revenue.php index 1d2d66fc..69d7beb8 100644 --- a/agent/post/revenue.php +++ b/agent/post/revenue.php @@ -8,6 +8,8 @@ defined('FROM_POST_HANDLER') || die("Direct file access is not allowed"); if (isset($_POST['add_revenue'])) { + validateCSRFToken($_POST['csrf_token']); + enforceUserPermission('module_sales', 2); $date = sanitizeInput($_POST['date']); @@ -32,6 +34,8 @@ if (isset($_POST['add_revenue'])) { if (isset($_POST['edit_revenue'])) { + validateCSRFToken($_POST['csrf_token']); + enforceUserPermission('module_sales', 2); $revenue_id = intval($_POST['revenue_id']); @@ -55,6 +59,8 @@ if (isset($_POST['edit_revenue'])) { if (isset($_GET['delete_revenue'])) { + validateCSRFToken($_GET['csrf_token']); + enforceUserPermission('module_sales', 3); $revenue_id = intval($_GET['delete_revenue']); diff --git a/agent/revenues.php b/agent/revenues.php index 2963c712..f0fa7738 100644 --- a/agent/revenues.php +++ b/agent/revenues.php @@ -145,7 +145,7 @@ $num_rows = mysqli_fetch_row(mysqli_query($mysqli, "SELECT FOUND_ROWS()")); Edit
- + Delete