Merge pull request #1084 from itflow-org/budget-perms

Budget - CSRF + Perms
2026-02-28 02:44:53 +00:00 · 2024-10-03 16:52:28 -04:00
parent 5ea271662b f8c6a5ef19
commit c948ccff5c
2 changed files with 14 additions and 0 deletions
--- a/post/user/budget.php
+++ b/post/user/budget.php
@@ -5,6 +5,11 @@
 */

 if (isset($_POST['save_budget'])) {
+
+    enforceUserPermission('module_financial', 2);
+
+    validateCSRFToken($_POST['csrf_token']);
+
    $budgets = $_POST['budget'];
    $year = intval($_POST['year']);

@@ -37,6 +42,11 @@ if (isset($_POST['save_budget'])) {
 }

 if (isset($_POST['delete_budget'])) {
+
+    enforceUserPermission('module_financial', 3);
+
+    validateCSRFToken($_POST['csrf_token']);
+
    $year = intval($_POST['year']);

    mysqli_query($mysqli,"DELETE FROM budget WHERE budget_year = $year");