Contacts: Add missing CSRF checks, add missing permission checks, renamed unarchive to restore

2026-03-11 08:14:52 +00:00 · 2026-03-02 18:28:53 -05:00
parent ad16e92763
commit d936339f07
16 changed files with 115 additions and 43 deletions
--- a/agent/contacts.php
+++ b/agent/contacts.php
@@ -262,8 +262,8 @@ $num_rows = mysqli_fetch_row(mysqli_query($mysqli, "SELECT FOUND_ROWS()"));
                                <?php if ($archived) { ?>
                                <div class="dropdown-divider"></div>
                                <button class="dropdown-item text-info"
-                                    type="submit" form="bulkActions" name="bulk_unarchive_contacts">
-                                    <i class="fas fa-fw fa-redo mr-2"></i>Unarchive
+                                    type="submit" form="bulkActions" name="bulk_restore_contacts">
+                                    <i class="fas fa-fw fa-redo mr-2"></i>Restore
                                </button>
                                <div class="dropdown-divider"></div>
                                <button class="dropdown-item text-danger text-bold"
@@ -526,23 +526,23 @@ $num_rows = mysqli_fetch_row(mysqli_query($mysqli, "SELECT FOUND_ROWS()"));
                                        <?php if ($session_user_role == 3 && $contact_primary == 0) { ?>
                                            <?php if ($contact_archived_at) { ?>
                                            <div class="dropdown-divider"></div>
-                                            <a class="dropdown-item text-info confirm-link" href="post.php?unarchive_contact=<?php echo $contact_id; ?>">
-                                                <i class="fas fa-fw fa-redo mr-2"></i>Unarchive
+                                            <a class="dropdown-item text-info confirm-link" href="post.php?restore_contact=<?= $contact_id ?>&csrf_token=<?= $_SESSION['csrf_token'] ?>">
+                                                <i class="fas fa-fw fa-redo mr-2"></i>Restore
                                            </a>
                                            <?php } else { ?>
                                            <div class="dropdown-divider"></div>
-                                            <a class="dropdown-item text-danger confirm-link" href="post.php?archive_contact=<?php echo $contact_id; ?>">
+                                            <a class="dropdown-item text-danger confirm-link" href="post.php?archive_contact=<?= $contact_id ?>&csrf_token=<?= $_SESSION['csrf_token'] ?>">
                                                <i class="fas fa-fw fa-archive mr-2"></i>Archive
                                            </a>
                                            <div class="dropdown-divider"></div>
-                                            <a class="dropdown-item text-danger confirm-link" href="post.php?anonymize_contact=<?php echo $contact_id; ?>">
+                                            <a class="dropdown-item text-danger confirm-link" href="post.php?anonymize_contact=<?= $contact_id ?>&csrf_token=<?= $_SESSION['csrf_token'] ?>">
                                                <i class="fas fa-fw fa-user-secret mr-2"></i>Anonymize & Archive
                                            </a>
                                            <?php } ?>

                                            <?php if ($config_destructive_deletes_enable) { ?>
                                            <div class="dropdown-divider"></div>
-                                            <a class="dropdown-item text-danger text-bold confirm-link" href="post.php?delete_contact=<?php echo $contact_id; ?>">
+                                            <a class="dropdown-item text-danger text-bold confirm-link" href="post.php?delete_contact=<?= $contact_id ?>&csrf_token=<?= $_SESSION['csrf_token'] ?>">
                                                <i class="fas fa-fw fa-trash mr-2"></i>Delete
                                            </a>
                                            <?php } ?>