From f8c6a5ef1969545ff5e813847dc13f91c5b0c9b9 Mon Sep 17 00:00:00 2001
From: wrongecho <marcus@itflow.org>
Date: Thu, 3 Oct 2024 20:52:37 +0100
Subject: [PATCH] Budget - CSRF + Perms

---
 budget_edit.php      |  4 ++++
 post/user/budget.php | 10 ++++++++++
 2 files changed, 14 insertions(+)

diff --git a/budget_edit.php b/budget_edit.php
index fe448b0c..76051bd0 100644
--- a/budget_edit.php
+++ b/budget_edit.php
@@ -2,6 +2,8 @@
 
 require_once "inc_all.php";
 
+enforceUserPermission('module_financial', 2);
+
 // Fetch categories
 $query = "SELECT category_id, category_name FROM categories WHERE category_type ='Expense' AND category_archived_at IS NULL";
 $result = mysqli_query($mysqli, $query);
@@ -52,6 +54,8 @@ $grandTotal = 0;
     </form>
     <form id="budgetForm" method="POST" action="post.php">
         <input type="hidden" name="year" value="<?php echo $currentYear; ?>">
+        <input type="hidden" name="csrf_token" value="<?php echo $_SESSION['csrf_token'] ?>">
+
         <table class="table table-bordered table-striped">
             <thead>
             <tr>
diff --git a/post/user/budget.php b/post/user/budget.php
index 2b50fe9b..ad3c381b 100644
--- a/post/user/budget.php
+++ b/post/user/budget.php
@@ -5,6 +5,11 @@
  */
 
 if (isset($_POST['save_budget'])) {
+
+    enforceUserPermission('module_financial', 2);
+
+    validateCSRFToken($_POST['csrf_token']);
+
     $budgets = $_POST['budget'];
     $year = intval($_POST['year']);
 
@@ -37,6 +42,11 @@ if (isset($_POST['save_budget'])) {
 }
 
 if (isset($_POST['delete_budget'])) {
+
+    enforceUserPermission('module_financial', 3);
+
+    validateCSRFToken($_POST['csrf_token']);
+
     $year = intval($_POST['year']);
 
     mysqli_query($mysqli,"DELETE FROM budget WHERE budget_year = $year");