mirror of
https://github.com/itflow-org/itflow
synced 2026-03-11 08:14:52 +00:00
locations: Add missing CSRF checks, add missing permission checks, renamed unarchive to restore
This commit is contained in:
johnnyq
@@ -190,8 +190,8 @@ $num_rows = mysqli_fetch_row(mysqli_query($mysqli, "SELECT FOUND_ROWS()"));
|
|||||||
<?php if ($archived) { ?>
|
<?php if ($archived) { ?>
|
||||||
<div class="dropdown-divider"></div>
|
<div class="dropdown-divider"></div>
|
||||||
<button class="dropdown-item text-info"
|
<button class="dropdown-item text-info"
|
||||||
type="submit" form="bulkActions" name="bulk_unarchive_locations">
|
type="submit" form="bulkActions" name="bulk_restore_locations">
|
||||||
<i class="fas fa-fw fa-redo mr-2"></i>Unarchive
|
<i class="fas fa-fw fa-redo mr-2"></i>Restore
|
||||||
</button>
|
</button>
|
||||||
<div class="dropdown-divider"></div>
|
<div class="dropdown-divider"></div>
|
||||||
<button class="dropdown-item text-danger text-bold"
|
<button class="dropdown-item text-danger text-bold"
|
||||||
@@ -370,18 +370,18 @@ $num_rows = mysqli_fetch_row(mysqli_query($mysqli, "SELECT FOUND_ROWS()"));
|
|||||||
<?php if ($session_user_role == 3 && $location_primary == 0) { ?>
|
<?php if ($session_user_role == 3 && $location_primary == 0) { ?>
|
||||||
<?php if ($location_archived_at) { ?>
|
<?php if ($location_archived_at) { ?>
|
||||||
<div class="dropdown-divider"></div>
|
<div class="dropdown-divider"></div>
|
||||||
<a class="dropdown-item text-info confirm-link" href="post.php?unarchive_location=<?php echo $location_id; ?>">
|
<a class="dropdown-item text-info confirm-link" href="post.php?restore_location=<?= $location_id ?>&csrf_token=<?= $_SESSION['csrf_token'] ?>">
|
||||||
<i class="fas fa-fw fa-redo mr-2"></i>Unarchive
|
<i class="fas fa-fw fa-redo mr-2"></i>Restore
|
||||||
</a>
|
</a>
|
||||||
<?php if ($config_destructive_deletes_enable) { ?>
|
<?php if ($config_destructive_deletes_enable) { ?>
|
||||||
<div class="dropdown-divider"></div>
|
<div class="dropdown-divider"></div>
|
||||||
<a class="dropdown-item text-danger text-bold confirm-link" href="post.php?delete_location=<?php echo $location_id; ?>">
|
<a class="dropdown-item text-danger text-bold confirm-link" href="post.php?delete_location=<?= $location_id ?>&csrf_token=<?= $_SESSION['csrf_token'] ?>">
|
||||||
<i class="fas fa-fw fa-trash mr-2"></i>Delete
|
<i class="fas fa-fw fa-trash mr-2"></i>Delete
|
||||||
</a>
|
</a>
|
||||||
<?php } ?>
|
<?php } ?>
|
||||||
<?php } else { ?>
|
<?php } else { ?>
|
||||||
<div class="dropdown-divider"></div>
|
<div class="dropdown-divider"></div>
|
||||||
<a class="dropdown-item text-danger confirm-link" href="post.php?archive_location=<?php echo $location_id; ?>">
|
<a class="dropdown-item text-danger confirm-link" href="post.php?archive_location=<?= $location_id ?>&csrf_token=<?= $_SESSION['csrf_token'] ?>">
|
||||||
<i class="fas fa-fw fa-archive mr-2"></i>Archive
|
<i class="fas fa-fw fa-archive mr-2"></i>Archive
|
||||||
</a>
|
</a>
|
||||||
<?php } ?>
|
<?php } ?>
|
||||||
|
|||||||
@@ -15,6 +15,7 @@ ob_start();
|
|||||||
</button>
|
</button>
|
||||||
</div>
|
</div>
|
||||||
<form action="post.php" method="post" enctype="multipart/form-data" autocomplete="off">
|
<form action="post.php" method="post" enctype="multipart/form-data" autocomplete="off">
|
||||||
|
<input type="hidden" name="csrf_token" value="<?= $_SESSION['csrf_token'] ?>">
|
||||||
|
|
||||||
<div class="modal-body">
|
<div class="modal-body">
|
||||||
|
|
||||||
|
|||||||
@@ -47,6 +47,7 @@ ob_start();
|
|||||||
</button>
|
</button>
|
||||||
</div>
|
</div>
|
||||||
<form action="post.php" method="post" enctype="multipart/form-data" autocomplete="off">
|
<form action="post.php" method="post" enctype="multipart/form-data" autocomplete="off">
|
||||||
|
<input type="hidden" name="csrf_token" value="<?= $_SESSION['csrf_token'] ?>">
|
||||||
<input type="hidden" name="location_id" value="<?php echo $location_id; ?>">
|
<input type="hidden" name="location_id" value="<?php echo $location_id; ?>">
|
||||||
<input type="hidden" name="client_id" value="<?php echo $client_id; ?>">
|
<input type="hidden" name="client_id" value="<?php echo $client_id; ?>">
|
||||||
|
|
||||||
|
|||||||
@@ -15,6 +15,7 @@ ob_start();
|
|||||||
</button>
|
</button>
|
||||||
</div>
|
</div>
|
||||||
<form action="post.php" method="post" autocomplete="off">
|
<form action="post.php" method="post" autocomplete="off">
|
||||||
|
<input type="hidden" name="csrf_token" value="<?= $_SESSION['csrf_token'] ?>">
|
||||||
<input type="hidden" name="client_id" value="<?= $client_id ?>">
|
<input type="hidden" name="client_id" value="<?= $client_id ?>">
|
||||||
<div class="modal-body">
|
<div class="modal-body">
|
||||||
|
|
||||||
|
|||||||
@@ -15,6 +15,7 @@ ob_start();
|
|||||||
</button>
|
</button>
|
||||||
</div>
|
</div>
|
||||||
<form action="post.php" method="post" enctype="multipart/form-data" autocomplete="off">
|
<form action="post.php" method="post" enctype="multipart/form-data" autocomplete="off">
|
||||||
|
<input type="hidden" name="csrf_token" value="<?= $_SESSION['csrf_token'] ?>">
|
||||||
<input type="hidden" name="client_id" value="<?= $client_id ?>">
|
<input type="hidden" name="client_id" value="<?= $client_id ?>">
|
||||||
|
|
||||||
<div class="modal-body">
|
<div class="modal-body">
|
||||||
|
|||||||
@@ -8,6 +8,8 @@ defined('FROM_POST_HANDLER') || die("Direct file access is not allowed");
|
|||||||
|
|
||||||
if(isset($_POST['add_location'])){
|
if(isset($_POST['add_location'])){
|
||||||
|
|
||||||
|
validateCSRFToken($_POST['csrf_token']);
|
||||||
|
|
||||||
enforceUserPermission('module_client', 2);
|
enforceUserPermission('module_client', 2);
|
||||||
|
|
||||||
require_once 'location_model.php';
|
require_once 'location_model.php';
|
||||||
@@ -60,6 +62,8 @@ if(isset($_POST['add_location'])){
|
|||||||
|
|
||||||
if(isset($_POST['edit_location'])){
|
if(isset($_POST['edit_location'])){
|
||||||
|
|
||||||
|
validateCSRFToken($_POST['csrf_token']);
|
||||||
|
|
||||||
enforceUserPermission('module_client', 2);
|
enforceUserPermission('module_client', 2);
|
||||||
|
|
||||||
require_once 'location_model.php';
|
require_once 'location_model.php';
|
||||||
@@ -122,6 +126,8 @@ if(isset($_POST['edit_location'])){
|
|||||||
|
|
||||||
if(isset($_GET['archive_location'])){
|
if(isset($_GET['archive_location'])){
|
||||||
|
|
||||||
|
validateCSRFToken($_GET['csrf_token']);
|
||||||
|
|
||||||
enforceUserPermission('module_client', 2);
|
enforceUserPermission('module_client', 2);
|
||||||
|
|
||||||
$location_id = intval($_GET['archive_location']);
|
$location_id = intval($_GET['archive_location']);
|
||||||
@@ -142,11 +148,13 @@ if(isset($_GET['archive_location'])){
|
|||||||
|
|
||||||
}
|
}
|
||||||
|
|
||||||
if(isset($_GET['unarchive_location'])){
|
if(isset($_GET['restore_location'])){
|
||||||
|
|
||||||
|
validateCSRFToken($_GET['csrf_token']);
|
||||||
|
|
||||||
enforceUserPermission('module_client', 2);
|
enforceUserPermission('module_client', 2);
|
||||||
|
|
||||||
$location_id = intval($_GET['unarchive_location']);
|
$location_id = intval($_GET['restore_location']);
|
||||||
|
|
||||||
// Get Location Name and Client ID for logging and alert message
|
// Get Location Name and Client ID for logging and alert message
|
||||||
$sql = mysqli_query($mysqli,"SELECT location_name, location_client_id FROM locations WHERE location_id = $location_id");
|
$sql = mysqli_query($mysqli,"SELECT location_name, location_client_id FROM locations WHERE location_id = $location_id");
|
||||||
@@ -156,7 +164,7 @@ if(isset($_GET['unarchive_location'])){
|
|||||||
|
|
||||||
mysqli_query($mysqli,"UPDATE locations SET location_archived_at = NULL WHERE location_id = $location_id");
|
mysqli_query($mysqli,"UPDATE locations SET location_archived_at = NULL WHERE location_id = $location_id");
|
||||||
|
|
||||||
logAction("Location", "Unarchive", "$session_name unarchived location $location_name", $client_id, $location_id);
|
logAction("Location", "Restore", "$session_name restored location $location_name", $client_id, $location_id);
|
||||||
|
|
||||||
flash_alert("Location <strong>$location_name</strong> restored");
|
flash_alert("Location <strong>$location_name</strong> restored");
|
||||||
|
|
||||||
@@ -166,6 +174,8 @@ if(isset($_GET['unarchive_location'])){
|
|||||||
|
|
||||||
if(isset($_GET['delete_location'])){
|
if(isset($_GET['delete_location'])){
|
||||||
|
|
||||||
|
validateCSRFToken($_GET['csrf_token']);
|
||||||
|
|
||||||
enforceUserPermission('module_client', 3);
|
enforceUserPermission('module_client', 3);
|
||||||
|
|
||||||
$location_id = intval($_GET['delete_location']);
|
$location_id = intval($_GET['delete_location']);
|
||||||
@@ -188,6 +198,8 @@ if(isset($_GET['delete_location'])){
|
|||||||
|
|
||||||
if (isset($_POST['bulk_assign_location_tags'])) {
|
if (isset($_POST['bulk_assign_location_tags'])) {
|
||||||
|
|
||||||
|
validateCSRFToken($_POST['csrf_token']);
|
||||||
|
|
||||||
enforceUserPermission('module_client', 2);
|
enforceUserPermission('module_client', 2);
|
||||||
|
|
||||||
// Assign Tags to Selected
|
// Assign Tags to Selected
|
||||||
@@ -238,9 +250,10 @@ if (isset($_POST['bulk_assign_location_tags'])) {
|
|||||||
|
|
||||||
if (isset($_POST['bulk_archive_locations'])) {
|
if (isset($_POST['bulk_archive_locations'])) {
|
||||||
|
|
||||||
enforceUserPermission('module_client', 2);
|
|
||||||
validateCSRFToken($_POST['csrf_token']);
|
validateCSRFToken($_POST['csrf_token']);
|
||||||
|
|
||||||
|
enforceUserPermission('module_client', 2);
|
||||||
|
|
||||||
if (isset($_POST['location_ids'])) {
|
if (isset($_POST['location_ids'])) {
|
||||||
|
|
||||||
$count = 0; // Default 0
|
$count = 0; // Default 0
|
||||||
@@ -278,7 +291,7 @@ if (isset($_POST['bulk_archive_locations'])) {
|
|||||||
|
|
||||||
}
|
}
|
||||||
|
|
||||||
if (isset($_POST['bulk_unarchive_locations'])) {
|
if (isset($_POST['bulk_restore_locations'])) {
|
||||||
|
|
||||||
validateCSRFToken($_POST['csrf_token']);
|
validateCSRFToken($_POST['csrf_token']);
|
||||||
|
|
||||||
@@ -289,7 +302,7 @@ if (isset($_POST['bulk_unarchive_locations'])) {
|
|||||||
// Get Selected Count
|
// Get Selected Count
|
||||||
$count = count($_POST['location_ids']);
|
$count = count($_POST['location_ids']);
|
||||||
|
|
||||||
// Cycle through array and unarchive
|
// Cycle through array and restore
|
||||||
foreach ($_POST['location_ids'] as $location_id) {
|
foreach ($_POST['location_ids'] as $location_id) {
|
||||||
|
|
||||||
$location_id = intval($location_id);
|
$location_id = intval($location_id);
|
||||||
@@ -302,13 +315,13 @@ if (isset($_POST['bulk_unarchive_locations'])) {
|
|||||||
|
|
||||||
mysqli_query($mysqli,"UPDATE locations SET location_archived_at = NULL WHERE location_id = $location_id");
|
mysqli_query($mysqli,"UPDATE locations SET location_archived_at = NULL WHERE location_id = $location_id");
|
||||||
|
|
||||||
logAction("Location", "Unarchive", "$session_name unarchived location $location_name", $client_id, $location_id);
|
logAction("Location", "Restore", "$session_name restored location $location_name", $client_id, $location_id);
|
||||||
|
|
||||||
}
|
}
|
||||||
|
|
||||||
logAction("Location", "Bulk Unarchive", "$session_name unarchived $count location(s)", $client_id);
|
logAction("Location", "Bulk Restore", "$session_name restored $count location(s)", $client_id);
|
||||||
|
|
||||||
flash_alert("Unarchived <strong>$count</strong> location(s)");
|
flash_alert("Restored <strong>$count</strong> location(s)");
|
||||||
|
|
||||||
}
|
}
|
||||||
|
|
||||||
@@ -356,6 +369,10 @@ if (isset($_POST['bulk_delete_locations'])) {
|
|||||||
|
|
||||||
if(isset($_POST['export_locations_csv'])){
|
if(isset($_POST['export_locations_csv'])){
|
||||||
|
|
||||||
|
validateCSRFToken($_POST['csrf_token']);
|
||||||
|
|
||||||
|
enforceUserPermission('module_client');
|
||||||
|
|
||||||
if ($_POST['client_id']) {
|
if ($_POST['client_id']) {
|
||||||
$client_id = intval($_POST['client_id']);
|
$client_id = intval($_POST['client_id']);
|
||||||
$client_query = "AND location_client_id = $client_id";
|
$client_query = "AND location_client_id = $client_id";
|
||||||
@@ -410,6 +427,8 @@ if(isset($_POST['export_locations_csv'])){
|
|||||||
|
|
||||||
if (isset($_POST["import_locations_csv"])) {
|
if (isset($_POST["import_locations_csv"])) {
|
||||||
|
|
||||||
|
validateCSRFToken($_POST['csrf_token']);
|
||||||
|
|
||||||
enforceUserPermission('module_client', 2);
|
enforceUserPermission('module_client', 2);
|
||||||
|
|
||||||
$client_id = intval($_POST['client_id']);
|
$client_id = intval($_POST['client_id']);
|
||||||
|
|||||||
Reference in New Issue
Block a user