AS1024/itflow
1
0
Fork 0
mirror of https://github.com/itflow-org/itflow synced 2026-03-11 08:14:52 +00:00
Code Issues Packages Projects Releases Wiki Activity

Revenues: Add missing CSRF checks

Browse Source
This commit is contained in:
johnnyq
2026-03-01 22:42:37 -05:00
parent f653752026
commit af1ebfea41
4 changed files with 9 additions and 1 deletions
Download Patch File Download Diff File Expand all files Collapse all files

1
agent/modals/revenue/revenue_add.php
View File

@@ -12,6 +12,7 @@ ob_start();
</button> </button>
</div> </div>
<form action="post.php" method="post" autocomplete="off"> <form action="post.php" method="post" autocomplete="off">
<input type="hidden" name="csrf_token" value="<?= $_SESSION['csrf_token'] ?>">
<div class="modal-body"> <div class="modal-body">
<div class="form-row"> <div class="form-row">

1
agent/modals/revenue/revenue_edit.php
View File

@@ -28,6 +28,7 @@ ob_start();
</button> </button>
</div> </div>
<form action="post.php" method="post" autocomplete="off"> <form action="post.php" method="post" autocomplete="off">
<input type="hidden" name="csrf_token" value="<?= $_SESSION['csrf_token'] ?>">
<input type="hidden" name="revenue_id" value="<?php echo $revenue_id; ?>"> <input type="hidden" name="revenue_id" value="<?php echo $revenue_id; ?>">
<div class="modal-body"> <div class="modal-body">

6
agent/post/revenue.php
View File

@@ -8,6 +8,8 @@ defined('FROM_POST_HANDLER') || die("Direct file access is not allowed");
if (isset($_POST['add_revenue'])) { if (isset($_POST['add_revenue'])) {
validateCSRFToken($_POST['csrf_token']);
enforceUserPermission('module_sales', 2); enforceUserPermission('module_sales', 2);
$date = sanitizeInput($_POST['date']); $date = sanitizeInput($_POST['date']);
@@ -32,6 +34,8 @@ if (isset($_POST['add_revenue'])) {
if (isset($_POST['edit_revenue'])) { if (isset($_POST['edit_revenue'])) {
validateCSRFToken($_POST['csrf_token']);
enforceUserPermission('module_sales', 2); enforceUserPermission('module_sales', 2);
$revenue_id = intval($_POST['revenue_id']); $revenue_id = intval($_POST['revenue_id']);
@@ -55,6 +59,8 @@ if (isset($_POST['edit_revenue'])) {
if (isset($_GET['delete_revenue'])) { if (isset($_GET['delete_revenue'])) {
validateCSRFToken($_GET['csrf_token']);
enforceUserPermission('module_sales', 3); enforceUserPermission('module_sales', 3);
$revenue_id = intval($_GET['delete_revenue']); $revenue_id = intval($_GET['delete_revenue']);

2
agent/revenues.php
View File

@@ -145,7 +145,7 @@ $num_rows = mysqli_fetch_row(mysqli_query($mysqli, "SELECT FOUND_ROWS()"));
<i class="fas fa-fw fa-edit mr-2"></i>Edit <i class="fas fa-fw fa-edit mr-2"></i>Edit
</a> </a>
<div class="dropdown-divider"></div> <div class="dropdown-divider"></div>
<a class="dropdown-item text-danger text-bold confirm-link" href="post.php?delete_revenue=<?php echo $revenue_id; ?>"> <a class="dropdown-item text-danger text-bold confirm-link" href="post.php?delete_revenue=<?= $revenue_id ?>&csrf_token=<?= $_SESSION['csrf_token'] ?>">
<i class="fas fa-fw fa-trash mr-2"></i>Delete <i class="fas fa-fw fa-trash mr-2"></i>Delete
</a> </a>
</div> </div>