From d936339f07260825b67feca9586ddf88180d45b0 Mon Sep 17 00:00:00 2001 From: johnnyq Date: Mon, 2 Mar 2026 18:28:53 -0500 Subject: [PATCH] Contacts: Add missing CSRF checks, add missing permission checks, renamed unarchive to restore --- agent/contact_details.php | 20 ++-- agent/contacts.php | 14 +-- agent/modals/contact/contact_add.php | 2 + agent/modals/contact/contact_archive.php | 7 +- agent/modals/contact/contact_edit.php | 1 + agent/modals/contact/contact_export.php | 1 + agent/modals/contact/contact_import.php | 1 + agent/modals/contact/contact_invite.php | 3 +- agent/modals/contact/contact_link_asset.php | 2 +- .../contact/contact_link_credential.php | 1 + .../modals/contact/contact_link_document.php | 1 + agent/modals/contact/contact_link_file.php | 1 + agent/modals/contact/contact_link_service.php | 1 + .../modals/contact/contact_link_software.php | 1 + agent/modals/contact/contact_note_add.php | 3 +- agent/post/contact.php | 99 +++++++++++++++---- 16 files changed, 115 insertions(+), 43 deletions(-) diff --git a/agent/contact_details.php b/agent/contact_details.php index fa5036e2..2422e5a2 100644 --- a/agent/contact_details.php +++ b/agent/contact_details.php @@ -476,7 +476,7 @@ if (isset($_GET['contact_id'])) {
Unlink @@ -616,13 +616,13 @@ if (isset($_GET['contact_id'])) {
Unlink
- + Delete @@ -709,7 +709,7 @@ if (isset($_GET['contact_id'])) { - + @@ -778,7 +778,7 @@ if (isset($_GET['contact_id'])) {
- + Delete @@ -931,7 +931,7 @@ if (isset($_GET['contact_id'])) { - + @@ -997,7 +997,7 @@ if (isset($_GET['contact_id'])) { data-modal-url="modals/document/document_view.php?id="> - + @@ -1060,7 +1060,7 @@ if (isset($_GET['contact_id'])) { KB - + @@ -1124,12 +1124,12 @@ if (isset($_GET['contact_id'])) {
- + Archive
- + Delete diff --git a/agent/contacts.php b/agent/contacts.php index c6a62bc9..87742c64 100644 --- a/agent/contacts.php +++ b/agent/contacts.php @@ -262,8 +262,8 @@ $num_rows = mysqli_fetch_row(mysqli_query($mysqli, "SELECT FOUND_ROWS()"));
+ +
    diff --git a/agent/modals/contact/contact_archive.php b/agent/modals/contact/contact_archive.php index 036d6d8e..dd8faf4b 100644 --- a/agent/modals/contact/contact_archive.php +++ b/agent/modals/contact/contact_archive.php @@ -8,6 +8,7 @@
+
@@ -23,7 +24,7 @@
- +
@@ -44,7 +45,7 @@
- +
@@ -53,4 +54,4 @@
- \ No newline at end of file + diff --git a/agent/modals/contact/contact_edit.php b/agent/modals/contact/contact_edit.php index 18ad5e0a..b22e21b5 100644 --- a/agent/modals/contact/contact_edit.php +++ b/agent/modals/contact/contact_edit.php @@ -53,6 +53,7 @@ ob_start();
+
diff --git a/agent/modals/contact/contact_export.php b/agent/modals/contact/contact_export.php index 12f9877b..acd8c53d 100644 --- a/agent/modals/contact/contact_export.php +++ b/agent/modals/contact/contact_export.php @@ -15,6 +15,7 @@ ob_start();
+
diff --git a/agent/modals/contact/contact_import.php b/agent/modals/contact/contact_import.php index 2142d6d5..f1a5214e 100644 --- a/agent/modals/contact/contact_import.php +++ b/agent/modals/contact/contact_import.php @@ -15,6 +15,7 @@ ob_start();
+

Format csv file with headings & data:
Name, Title, Department, Email, Phone, Extension, Mobile, Location

diff --git a/agent/modals/contact/contact_invite.php b/agent/modals/contact/contact_invite.php index f755dc80..ba8ead13 100644 --- a/agent/modals/contact/contact_invite.php +++ b/agent/modals/contact/contact_invite.php @@ -9,6 +9,7 @@
+
@@ -81,4 +82,4 @@
- \ No newline at end of file + diff --git a/agent/modals/contact/contact_link_asset.php b/agent/modals/contact/contact_link_asset.php index 0443126e..52a133e0 100644 --- a/agent/modals/contact/contact_link_asset.php +++ b/agent/modals/contact/contact_link_asset.php @@ -13,7 +13,6 @@ $row = mysqli_fetch_assoc($sql); $contact_name = nullable_htmlentities($row['contact_name']); $client_id = intval($row['contact_client_id']); -// Generate the HTML form content using output buffering. ob_start(); ?> @@ -25,6 +24,7 @@ ob_start(); +
diff --git a/agent/modals/contact/contact_link_credential.php b/agent/modals/contact/contact_link_credential.php index 5fffa77c..ab0fe866 100644 --- a/agent/modals/contact/contact_link_credential.php +++ b/agent/modals/contact/contact_link_credential.php @@ -25,6 +25,7 @@ ob_start();
+
diff --git a/agent/modals/contact/contact_link_document.php b/agent/modals/contact/contact_link_document.php index 946f8ecb..9b94972e 100644 --- a/agent/modals/contact/contact_link_document.php +++ b/agent/modals/contact/contact_link_document.php @@ -25,6 +25,7 @@ ob_start();
+
diff --git a/agent/modals/contact/contact_link_file.php b/agent/modals/contact/contact_link_file.php index a12d2e3a..48a2f3a3 100644 --- a/agent/modals/contact/contact_link_file.php +++ b/agent/modals/contact/contact_link_file.php @@ -25,6 +25,7 @@ ob_start();
+
diff --git a/agent/modals/contact/contact_link_service.php b/agent/modals/contact/contact_link_service.php index e8d8e447..8b2d15bc 100644 --- a/agent/modals/contact/contact_link_service.php +++ b/agent/modals/contact/contact_link_service.php @@ -25,6 +25,7 @@ ob_start();
+
diff --git a/agent/modals/contact/contact_link_software.php b/agent/modals/contact/contact_link_software.php index f53cac9f..f3e0b825 100644 --- a/agent/modals/contact/contact_link_software.php +++ b/agent/modals/contact/contact_link_software.php @@ -25,6 +25,7 @@ ob_start();
+
diff --git a/agent/modals/contact/contact_note_add.php b/agent/modals/contact/contact_note_add.php index fefaf7df..6c3c8768 100644 --- a/agent/modals/contact/contact_note_add.php +++ b/agent/modals/contact/contact_note_add.php @@ -8,8 +8,8 @@ $sql = mysqli_query($mysqli, "SELECT contact_name FROM contacts WHERE contact_id $row = mysqli_fetch_assoc($sql); $contact_name = nullable_htmlentities($row['contact_name']); -// Generate the HTML form content using output buffering. ob_start(); + ?>
@@ -20,6 +20,7 @@ ob_start();
+
diff --git a/agent/post/contact.php b/agent/post/contact.php index d1ad06c8..d00bae98 100644 --- a/agent/post/contact.php +++ b/agent/post/contact.php @@ -8,6 +8,8 @@ defined('FROM_POST_HANDLER') || die("Direct file access is not allowed"); if (isset($_POST['add_contact'])) { + validateCSRFToken($_POST['csrf_token']); + enforceUserPermission('module_client', 2); require_once 'contact_model.php'; @@ -78,6 +80,8 @@ if (isset($_POST['add_contact'])) { if (isset($_POST['edit_contact'])) { + validateCSRFToken($_POST['csrf_token']); + enforceUserPermission('module_client', 2); require_once 'contact_model.php'; @@ -218,6 +222,8 @@ if (isset($_POST['edit_contact'])) { if (isset($_POST['add_contact_note'])) { + validateCSRFToken($_POST['csrf_token']); + enforceUserPermission('module_client', 2); $contact_id = intval($_POST['contact_id']); @@ -245,6 +251,8 @@ if (isset($_POST['add_contact_note'])) { if (isset($_GET['archive_contact_note'])) { + validateCSRFToken($_GET['csrf_token']); + enforceUserPermission('module_client', 2); $contact_note_id = intval($_GET['archive_contact_note']); @@ -267,7 +275,9 @@ if (isset($_GET['archive_contact_note'])) { } -if (isset($_GET['unarchive_contact_note'])) { +if (isset($_GET['restore_contact_note'])) { + + validateCSRFToken($_GET['csrf_token']); enforceUserPermission('module_client', 2); @@ -293,6 +303,8 @@ if (isset($_GET['unarchive_contact_note'])) { if (isset($_GET['delete_contact_note'])) { + validateCSRFToken($_GET['csrf_token']); + enforceUserPermission('module_client', 3); $contact_note_id = intval($_GET['delete_contact_note']); @@ -317,6 +329,8 @@ if (isset($_GET['delete_contact_note'])) { if (isset($_POST['bulk_assign_contact_location'])) { + validateCSRFToken($_POST['csrf_token']); + enforceUserPermission('module_client', 2); $location_id = intval($_POST['bulk_location_id']); @@ -358,6 +372,8 @@ if (isset($_POST['bulk_assign_contact_location'])) { if (isset($_POST['bulk_edit_contact_phone'])) { + validateCSRFToken($_POST['csrf_token']); + enforceUserPermission('module_client', 2); $phone = preg_replace("/[^0-9]/", '', $_POST['bulk_phone']); @@ -394,6 +410,8 @@ if (isset($_POST['bulk_edit_contact_phone'])) { if (isset($_POST['bulk_edit_contact_department'])) { + validateCSRFToken($_POST['csrf_token']); + enforceUserPermission('module_client', 2); $department = sanitizeInput($_POST['bulk_department']); @@ -430,6 +448,8 @@ if (isset($_POST['bulk_edit_contact_department'])) { if (isset($_POST['bulk_edit_contact_role'])) { + validateCSRFToken($_POST['csrf_token']); + enforceUserPermission('module_client', 2); $contact_important = intval($_POST['bulk_contact_important']); @@ -470,6 +490,8 @@ if (isset($_POST['bulk_edit_contact_role'])) { if (isset($_POST['bulk_assign_contact_tags'])) { + validateCSRFToken($_POST['csrf_token']); + enforceUserPermission('module_client', 2); // Assign Location to Selected Contacts @@ -519,6 +541,10 @@ if (isset($_POST['bulk_assign_contact_tags'])) { if (isset($_POST['send_bulk_mail_now'])) { + validateCSRFToken($_POST['csrf_token']); + + enforceUserPermission('module_client'); + if (isset($_POST['contact_ids'])) { $count = count($_POST['contact_ids']); @@ -564,9 +590,9 @@ if (isset($_POST['send_bulk_mail_now'])) { if (isset($_POST['bulk_archive_contacts'])) { - enforceUserPermission('module_client', 2); + validateCSRFToken($_POST['csrf_token']); - //validateCSRFToken($_POST['csrf_token']); + enforceUserPermission('module_client', 2); if (isset($_POST['contact_ids'])) { @@ -611,10 +637,11 @@ if (isset($_POST['bulk_archive_contacts'])) { redirect(); } -if (isset($_POST['bulk_unarchive_contacts'])) { +if (isset($_POST['bulk_restore_contacts'])) { + + validateCSRFToken($_POST['csrf_token']); enforceUserPermission('module_client', 2); - //validateCSRFToken($_POST['csrf_token']); if (isset($_POST['contact_ids'])) { @@ -699,6 +726,8 @@ if (isset($_POST['bulk_delete_contacts'])) { if (isset($_GET['anonymize_contact'])) { + validateCSRFToken($_GET['csrf_token']); + enforceUserPermission('module_client', 3); $contact_id = intval($_GET['anonymize_contact']); @@ -803,6 +832,8 @@ if (isset($_GET['anonymize_contact'])) { if (isset($_GET['archive_contact'])) { + validateCSRFToken($_GET['csrf_token']); + enforceUserPermission('module_client', 2); $contact_id = intval($_GET['archive_contact']); @@ -829,11 +860,13 @@ if (isset($_GET['archive_contact'])) { } -if (isset($_GET['unarchive_contact'])) { +if (isset($_GET['restore_contact'])) { - validateAdminRole(); + validateCSRFToken($_GET['csrf_token']); - $contact_id = intval($_GET['unarchive_contact']); + enforceUserPermission('module_client', 2); + + $contact_id = intval($_GET['restore_contact']); // Get Contact Name and Client ID for logging and alert message $sql = mysqli_query($mysqli,"SELECT contact_name, contact_client_id, contact_user_id FROM contacts WHERE contact_id = $contact_id"); @@ -849,9 +882,9 @@ if (isset($_GET['unarchive_contact'])) { mysqli_query($mysqli,"UPDATE contacts SET contact_archived_at = NULL WHERE contact_id = $contact_id"); - logAction("Contact", "Unarchive", "$session_name unarchived contact $contact_name", $client_id, $contact_id); + logAction("Contact", "Restore", "$session_name restored contact $contact_name", $client_id, $contact_id); - flash_alert("Contact $contact_name has been Unarchived"); + flash_alert("Contact $contact_name Restored"); redirect(); @@ -859,6 +892,8 @@ if (isset($_GET['unarchive_contact'])) { if (isset($_GET['delete_contact'])) { + validateCSRFToken($_GET['csrf_token']); + enforceUserPermission('module_client', 3); $contact_id = intval($_GET['delete_contact']); @@ -887,7 +922,9 @@ if (isset($_GET['delete_contact'])) { if (isset($_POST['link_contact_to_asset'])) { - enforceUserPermission('module_support', 2); + validateCSRFToken($_POST['csrf_token']); + + enforceUserPermission('module_client', 2); $asset_id = intval($_POST['asset_id']); $contact_id = intval($_POST['contact_id']); @@ -913,7 +950,9 @@ if (isset($_POST['link_contact_to_asset'])) { if (isset($_GET['unlink_asset_from_contact'])) { - enforceUserPermission('module_support', 2); + validateCSRFToken($_POST['csrf_token']); + + enforceUserPermission('module_client', 2); $contact_id = intval($_GET['contact_id']); $asset_id = intval($_GET['asset_id']); @@ -939,7 +978,9 @@ if (isset($_GET['unlink_asset_from_contact'])) { if (isset($_POST['link_software_to_contact'])) { - enforceUserPermission('module_support', 2); + validateCSRFToken($_POST['csrf_token']); + + enforceUserPermission('module_client', 2); $software_id = intval($_POST['software_id']); $contact_id = intval($_POST['contact_id']); @@ -965,7 +1006,9 @@ if (isset($_POST['link_software_to_contact'])) { if (isset($_GET['unlink_software_from_contact'])) { - enforceUserPermission('module_support', 2); + validateCSRFToken($_POST['csrf_token']); + + enforceUserPermission('module_client', 2); $contact_id = intval($_GET['contact_id']); $software_id = intval($_GET['software_id']); @@ -991,7 +1034,9 @@ if (isset($_GET['unlink_software_from_contact'])) { if (isset($_POST['link_contact_to_credential'])) { - enforceUserPermission('module_support', 2); + validateCSRFToken($_POST['csrf_token']); + + enforceUserPermission('module_client', 2); $credential_id = intval($_POST['credential_id']); $contact_id = intval($_POST['contact_id']); @@ -1017,7 +1062,9 @@ if (isset($_POST['link_contact_to_credential'])) { if (isset($_GET['unlink_credential_from_contact'])) { - enforceUserPermission('module_support', 2); + validateCSRFToken($_GET['csrf_token']); + + enforceUserPermission('module_client', 2); $contact_id = intval($_GET['contact_id']); $credential_id = intval($_GET['credential_id']); @@ -1043,7 +1090,9 @@ if (isset($_GET['unlink_credential_from_contact'])) { if (isset($_POST['link_service_to_contact'])) { - enforceUserPermission('module_support', 2); + validateCSRFToken($_POST['csrf_token']); + + enforceUserPermission('module_client', 2); $service_id = intval($_POST['service_id']); $contact_id = intval($_POST['contact_id']); @@ -1069,7 +1118,9 @@ if (isset($_POST['link_service_to_contact'])) { if (isset($_GET['unlink_service_from_contact'])) { - enforceUserPermission('module_support', 2); + validateCSRFToken($_GET['csrf_token']); + + enforceUserPermission('module_client', 2); $contact_id = intval($_GET['contact_id']); $service_id = intval($_GET['service_id']); @@ -1095,7 +1146,9 @@ if (isset($_GET['unlink_service_from_contact'])) { if (isset($_POST['link_contact_to_file'])) { - enforceUserPermission('module_support', 2); + validateCSRFToken($_POST['csrf_token']); + + enforceUserPermission('module_client', 2); $file_id = intval($_POST['file_id']); $contact_id = intval($_POST['contact_id']); @@ -1122,7 +1175,9 @@ if (isset($_POST['link_contact_to_file'])) { if (isset($_GET['unlink_contact_from_file'])) { - enforceUserPermission('module_support', 2); + validateCSRFToken($_GET['csrf_token']); + + enforceUserPermission('module_client', 2); $contact_id = intval($_GET['contact_id']); $file_id = intval($_GET['file_id']); @@ -1148,6 +1203,8 @@ if (isset($_GET['unlink_contact_from_file'])) { if (isset($_POST['export_contacts_csv'])) { + validateCSRFToken($_POST['csrf_token']); + enforceUserPermission('module_client'); if ($_POST['client_id']) { @@ -1204,6 +1261,8 @@ if (isset($_POST['export_contacts_csv'])) { if (isset($_POST["import_contacts_csv"])) { + validateCSRFToken($_POST['csrf_token']); + enforceUserPermission('module_client', 2); $client_id = intval($_POST['client_id']);