AS1024
/
itflow
mirror of https://github.com/itflow-org/itflow
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Merge pull request #1084 from itflow-org/budget-perms 

Budget - CSRF + Perms
This commit is contained in:
Johnny 2024-10-03 16:52:28 -04:00 committed by GitHub
parent 5ea271662b f8c6a5ef19
commit c948ccff5c
No known key found for this signature in database
GPG Key ID: B5690EEEBB952194
2 changed files with 14 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
budget_edit.php
View File

@ -2,6 +2,8 @@
require_once "inc_all.php"; require_once "inc_all.php";
enforceUserPermission('module_financial', 2);
// Fetch categories // Fetch categories
$query = "SELECT category_id, category_name FROM categories WHERE category_type ='Expense' AND category_archived_at IS NULL"; $query = "SELECT category_id, category_name FROM categories WHERE category_type ='Expense' AND category_archived_at IS NULL";
$result = mysqli_query($mysqli, $query); $result = mysqli_query($mysqli, $query);
@ -52,6 +54,8 @@ $grandTotal = 0;
</form> </form>
<form id="budgetForm" method="POST" action="post.php"> <form id="budgetForm" method="POST" action="post.php">
<input type="hidden" name="year" value="<?php echo $currentYear; ?>"> <input type="hidden" name="year" value="<?php echo $currentYear; ?>">
<input type="hidden" name="csrf_token" value="<?php echo $_SESSION['csrf_token'] ?>">
<table class="table table-bordered table-striped"> <table class="table table-bordered table-striped">
<thead> <thead>
<tr> <tr>

10
post/user/budget.php
View File

@ -5,6 +5,11 @@
*/ */
if (isset($_POST['save_budget'])) { if (isset($_POST['save_budget'])) {
enforceUserPermission('module_financial', 2);
validateCSRFToken($_POST['csrf_token']);
$budgets = $_POST['budget']; $budgets = $_POST['budget'];
$year = intval($_POST['year']); $year = intval($_POST['year']);
@ -37,6 +42,11 @@ if (isset($_POST['save_budget'])) {
} }
if (isset($_POST['delete_budget'])) { if (isset($_POST['delete_budget'])) {
enforceUserPermission('module_financial', 3);
validateCSRFToken($_POST['csrf_token']);
$year = intval($_POST['year']); $year = intval($_POST['year']);
mysqli_query($mysqli,"DELETE FROM budget WHERE budget_year = $year"); mysqli_query($mysqli,"DELETE FROM budget WHERE budget_year = $year");