mirror of
https://github.com/itflow-org/itflow
synced 2026-03-11 08:14:52 +00:00
locations: Add missing CSRF checks, add missing permission checks, renamed unarchive to restore
This commit is contained in:
johnnyq
@@ -190,8 +190,8 @@ $num_rows = mysqli_fetch_row(mysqli_query($mysqli, "SELECT FOUND_ROWS()"));
|
||||
<?php if ($archived) { ?>
|
||||
<div class="dropdown-divider"></div>
|
||||
<button class="dropdown-item text-info"
|
||||
type="submit" form="bulkActions" name="bulk_unarchive_locations">
|
||||
<i class="fas fa-fw fa-redo mr-2"></i>Unarchive
|
||||
type="submit" form="bulkActions" name="bulk_restore_locations">
|
||||
<i class="fas fa-fw fa-redo mr-2"></i>Restore
|
||||
</button>
|
||||
<div class="dropdown-divider"></div>
|
||||
<button class="dropdown-item text-danger text-bold"
|
||||
@@ -370,18 +370,18 @@ $num_rows = mysqli_fetch_row(mysqli_query($mysqli, "SELECT FOUND_ROWS()"));
|
||||
<?php if ($session_user_role == 3 && $location_primary == 0) { ?>
|
||||
<?php if ($location_archived_at) { ?>
|
||||
<div class="dropdown-divider"></div>
|
||||
<a class="dropdown-item text-info confirm-link" href="post.php?unarchive_location=<?php echo $location_id; ?>">
|
||||
<i class="fas fa-fw fa-redo mr-2"></i>Unarchive
|
||||
<a class="dropdown-item text-info confirm-link" href="post.php?restore_location=<?= $location_id ?>&csrf_token=<?= $_SESSION['csrf_token'] ?>">
|
||||
<i class="fas fa-fw fa-redo mr-2"></i>Restore
|
||||
</a>
|
||||
<?php if ($config_destructive_deletes_enable) { ?>
|
||||
<div class="dropdown-divider"></div>
|
||||
<a class="dropdown-item text-danger text-bold confirm-link" href="post.php?delete_location=<?php echo $location_id; ?>">
|
||||
<a class="dropdown-item text-danger text-bold confirm-link" href="post.php?delete_location=<?= $location_id ?>&csrf_token=<?= $_SESSION['csrf_token'] ?>">
|
||||
<i class="fas fa-fw fa-trash mr-2"></i>Delete
|
||||
</a>
|
||||
<?php } ?>
|
||||
<?php } else { ?>
|
||||
<div class="dropdown-divider"></div>
|
||||
<a class="dropdown-item text-danger confirm-link" href="post.php?archive_location=<?php echo $location_id; ?>">
|
||||
<a class="dropdown-item text-danger confirm-link" href="post.php?archive_location=<?= $location_id ?>&csrf_token=<?= $_SESSION['csrf_token'] ?>">
|
||||
<i class="fas fa-fw fa-archive mr-2"></i>Archive
|
||||
</a>
|
||||
<?php } ?>
|
||||
|
||||
@@ -15,6 +15,7 @@ ob_start();
|
||||
</button>
|
||||
</div>
|
||||
<form action="post.php" method="post" enctype="multipart/form-data" autocomplete="off">
|
||||
<input type="hidden" name="csrf_token" value="<?= $_SESSION['csrf_token'] ?>">
|
||||
|
||||
<div class="modal-body">
|
||||
|
||||
|
||||
@@ -47,6 +47,7 @@ ob_start();
|
||||
</button>
|
||||
</div>
|
||||
<form action="post.php" method="post" enctype="multipart/form-data" autocomplete="off">
|
||||
<input type="hidden" name="csrf_token" value="<?= $_SESSION['csrf_token'] ?>">
|
||||
<input type="hidden" name="location_id" value="<?php echo $location_id; ?>">
|
||||
<input type="hidden" name="client_id" value="<?php echo $client_id; ?>">
|
||||
|
||||
|
||||
@@ -15,6 +15,7 @@ ob_start();
|
||||
</button>
|
||||
</div>
|
||||
<form action="post.php" method="post" autocomplete="off">
|
||||
<input type="hidden" name="csrf_token" value="<?= $_SESSION['csrf_token'] ?>">
|
||||
<input type="hidden" name="client_id" value="<?= $client_id ?>">
|
||||
<div class="modal-body">
|
||||
|
||||
|
||||
@@ -15,6 +15,7 @@ ob_start();
|
||||
</button>
|
||||
</div>
|
||||
<form action="post.php" method="post" enctype="multipart/form-data" autocomplete="off">
|
||||
<input type="hidden" name="csrf_token" value="<?= $_SESSION['csrf_token'] ?>">
|
||||
<input type="hidden" name="client_id" value="<?= $client_id ?>">
|
||||
|
||||
<div class="modal-body">
|
||||
|
||||
@@ -8,6 +8,8 @@ defined('FROM_POST_HANDLER') || die("Direct file access is not allowed");
|
||||
|
||||
if(isset($_POST['add_location'])){
|
||||
|
||||
validateCSRFToken($_POST['csrf_token']);
|
||||
|
||||
enforceUserPermission('module_client', 2);
|
||||
|
||||
require_once 'location_model.php';
|
||||
@@ -60,6 +62,8 @@ if(isset($_POST['add_location'])){
|
||||
|
||||
if(isset($_POST['edit_location'])){
|
||||
|
||||
validateCSRFToken($_POST['csrf_token']);
|
||||
|
||||
enforceUserPermission('module_client', 2);
|
||||
|
||||
require_once 'location_model.php';
|
||||
@@ -122,6 +126,8 @@ if(isset($_POST['edit_location'])){
|
||||
|
||||
if(isset($_GET['archive_location'])){
|
||||
|
||||
validateCSRFToken($_GET['csrf_token']);
|
||||
|
||||
enforceUserPermission('module_client', 2);
|
||||
|
||||
$location_id = intval($_GET['archive_location']);
|
||||
@@ -142,11 +148,13 @@ if(isset($_GET['archive_location'])){
|
||||
|
||||
}
|
||||
|
||||
if(isset($_GET['unarchive_location'])){
|
||||
if(isset($_GET['restore_location'])){
|
||||
|
||||
validateCSRFToken($_GET['csrf_token']);
|
||||
|
||||
enforceUserPermission('module_client', 2);
|
||||
|
||||
$location_id = intval($_GET['unarchive_location']);
|
||||
$location_id = intval($_GET['restore_location']);
|
||||
|
||||
// Get Location Name and Client ID for logging and alert message
|
||||
$sql = mysqli_query($mysqli,"SELECT location_name, location_client_id FROM locations WHERE location_id = $location_id");
|
||||
@@ -156,7 +164,7 @@ if(isset($_GET['unarchive_location'])){
|
||||
|
||||
mysqli_query($mysqli,"UPDATE locations SET location_archived_at = NULL WHERE location_id = $location_id");
|
||||
|
||||
logAction("Location", "Unarchive", "$session_name unarchived location $location_name", $client_id, $location_id);
|
||||
logAction("Location", "Restore", "$session_name restored location $location_name", $client_id, $location_id);
|
||||
|
||||
flash_alert("Location <strong>$location_name</strong> restored");
|
||||
|
||||
@@ -166,6 +174,8 @@ if(isset($_GET['unarchive_location'])){
|
||||
|
||||
if(isset($_GET['delete_location'])){
|
||||
|
||||
validateCSRFToken($_GET['csrf_token']);
|
||||
|
||||
enforceUserPermission('module_client', 3);
|
||||
|
||||
$location_id = intval($_GET['delete_location']);
|
||||
@@ -188,6 +198,8 @@ if(isset($_GET['delete_location'])){
|
||||
|
||||
if (isset($_POST['bulk_assign_location_tags'])) {
|
||||
|
||||
validateCSRFToken($_POST['csrf_token']);
|
||||
|
||||
enforceUserPermission('module_client', 2);
|
||||
|
||||
// Assign Tags to Selected
|
||||
@@ -238,9 +250,10 @@ if (isset($_POST['bulk_assign_location_tags'])) {
|
||||
|
||||
if (isset($_POST['bulk_archive_locations'])) {
|
||||
|
||||
enforceUserPermission('module_client', 2);
|
||||
validateCSRFToken($_POST['csrf_token']);
|
||||
|
||||
enforceUserPermission('module_client', 2);
|
||||
|
||||
if (isset($_POST['location_ids'])) {
|
||||
|
||||
$count = 0; // Default 0
|
||||
@@ -278,7 +291,7 @@ if (isset($_POST['bulk_archive_locations'])) {
|
||||
|
||||
}
|
||||
|
||||
if (isset($_POST['bulk_unarchive_locations'])) {
|
||||
if (isset($_POST['bulk_restore_locations'])) {
|
||||
|
||||
validateCSRFToken($_POST['csrf_token']);
|
||||
|
||||
@@ -289,7 +302,7 @@ if (isset($_POST['bulk_unarchive_locations'])) {
|
||||
// Get Selected Count
|
||||
$count = count($_POST['location_ids']);
|
||||
|
||||
// Cycle through array and unarchive
|
||||
// Cycle through array and restore
|
||||
foreach ($_POST['location_ids'] as $location_id) {
|
||||
|
||||
$location_id = intval($location_id);
|
||||
@@ -302,13 +315,13 @@ if (isset($_POST['bulk_unarchive_locations'])) {
|
||||
|
||||
mysqli_query($mysqli,"UPDATE locations SET location_archived_at = NULL WHERE location_id = $location_id");
|
||||
|
||||
logAction("Location", "Unarchive", "$session_name unarchived location $location_name", $client_id, $location_id);
|
||||
logAction("Location", "Restore", "$session_name restored location $location_name", $client_id, $location_id);
|
||||
|
||||
}
|
||||
|
||||
logAction("Location", "Bulk Unarchive", "$session_name unarchived $count location(s)", $client_id);
|
||||
logAction("Location", "Bulk Restore", "$session_name restored $count location(s)", $client_id);
|
||||
|
||||
flash_alert("Unarchived <strong>$count</strong> location(s)");
|
||||
flash_alert("Restored <strong>$count</strong> location(s)");
|
||||
|
||||
}
|
||||
|
||||
@@ -356,6 +369,10 @@ if (isset($_POST['bulk_delete_locations'])) {
|
||||
|
||||
if(isset($_POST['export_locations_csv'])){
|
||||
|
||||
validateCSRFToken($_POST['csrf_token']);
|
||||
|
||||
enforceUserPermission('module_client');
|
||||
|
||||
if ($_POST['client_id']) {
|
||||
$client_id = intval($_POST['client_id']);
|
||||
$client_query = "AND location_client_id = $client_id";
|
||||
@@ -410,6 +427,8 @@ if(isset($_POST['export_locations_csv'])){
|
||||
|
||||
if (isset($_POST["import_locations_csv"])) {
|
||||
|
||||
validateCSRFToken($_POST['csrf_token']);
|
||||
|
||||
enforceUserPermission('module_client', 2);
|
||||
|
||||
$client_id = intval($_POST['client_id']);
|
||||
|
||||
Reference in New Issue
Block a user