Contacts: Add missing CSRF checks, add missing permission checks, renamed unarchive to restore

2026-03-11 08:14:52 +00:00 · 2026-03-02 18:28:53 -05:00
parent ad16e92763
commit d936339f07
16 changed files with 115 additions and 43 deletions
--- a/agent/modals/contact/contact_add.php
+++ b/agent/modals/contact/contact_add.php
@@ -23,6 +23,8 @@ ob_start();
    </button>
 </div>
 <form action="post.php" method="post" enctype="multipart/form-data" autocomplete="off">
+    <input type="hidden" name="csrf_token" value="<?= $_SESSION['csrf_token'] ?>">
+
    <div class="modal-body">

        <ul class="nav nav-pills nav-justified mb-3">
--- a/agent/modals/contact/contact_archive.php
+++ b/agent/modals/contact/contact_archive.php
@@ -8,6 +8,7 @@
                </button>
            </div>
            <form action="post.php" method="post" autocomplete="off">
+                <input type="hidden" name="csrf_token" value="<?= $_SESSION['csrf_token'] ?>">
                <input type="hidden" name="contact_id" value="<?php echo $contact_id; ?>">
                <div class="modal-body">

@@ -23,7 +24,7 @@
                            <label class="custom-control-label" for="unassignAssetsCheckbox<?php echo $contact_id; ?>">Assets</label>
                        </div>
                    </div>
-                
+
                    <div class="form-group">
                        <div class="custom-control custom-checkbox">
                            <input type="checkbox" class="custom-control-input" id="unassignLicensesCheckbox<?php echo $contact_id; ?>" name="unassign_licenses" value="1">
@@ -44,7 +45,7 @@
                            <label class="custom-control-label" for="anonymizeCheckbox<?php echo $contact_id; ?>">Anonymize Contact</label>
                        </div>
                    </div>
-                
+
                </div>
                <div class="modal-footer">
                    <button type="submit" name="archive_contact" class="btn btn-danger text-bold"><i class="fas fa-check mr-2"></i>Arhive</button>
@@ -53,4 +54,4 @@
            </form>
        </div>
    </div>
-</div>
+</div>
--- a/agent/modals/contact/contact_edit.php
+++ b/agent/modals/contact/contact_edit.php
@@ -53,6 +53,7 @@ ob_start();
    </button>
 </div>
 <form action="post.php" method="post" enctype="multipart/form-data" autocomplete="off">
+    <input type="hidden" name="csrf_token" value="<?= $_SESSION['csrf_token'] ?>">
    <input type="hidden" name="contact_id" value="<?php echo $contact_id; ?>">
    <input type="hidden" name="client_id" value="<?php echo $client_id; ?>">
    <div class="modal-body">
--- a/agent/modals/contact/contact_export.php
+++ b/agent/modals/contact/contact_export.php
@@ -15,6 +15,7 @@ ob_start();
    </button>
 </div>
 <form action="post.php" method="post" autocomplete="off">
+    <input type="hidden" name="csrf_token" value="<?= $_SESSION['csrf_token'] ?>">
    <input type="hidden" name="client_id" value="<?= $client_id ?>">

    <div class="modal-body">
--- a/agent/modals/contact/contact_import.php
+++ b/agent/modals/contact/contact_import.php
@@ -15,6 +15,7 @@ ob_start();
    </button>
 </div>
 <form action="post.php" method="post" enctype="multipart/form-data" autocomplete="off">
+    <input type="hidden" name="csrf_token" value="<?= $_SESSION['csrf_token'] ?>">
    <input type="hidden" name="client_id" value="<?= $client_id ?>">
    <div class="modal-body">
        <p><strong>Format csv file with headings & data:</strong><br>Name, Title, Department, Email, Phone, Extension, Mobile, Location</p>
--- a/agent/modals/contact/contact_invite.php
+++ b/agent/modals/contact/contact_invite.php
@@ -9,6 +9,7 @@
            </div>

            <form action="post.php" method="post" enctype="multipart/form-data" autocomplete="off">
+                <input type="hidden" name="csrf_token" value="<?= $_SESSION['csrf_token'] ?>">
                <input type="hidden" name="client_id" value="<?php echo $client_id; ?>">

                <div class="modal-body">
@@ -81,4 +82,4 @@

        </div>
    </div>
-</div>
+</div>
--- a/agent/modals/contact/contact_link_asset.php
+++ b/agent/modals/contact/contact_link_asset.php
@@ -13,7 +13,6 @@ $row = mysqli_fetch_assoc($sql);
 $contact_name = nullable_htmlentities($row['contact_name']);
 $client_id = intval($row['contact_client_id']);

-// Generate the HTML form content using output buffering.
 ob_start();

 ?>
@@ -25,6 +24,7 @@ ob_start();
    </button>
 </div>
 <form action="post.php" method="post" autocomplete="off">
+    <input type="hidden" name="csrf_token" value="<?= $_SESSION['csrf_token'] ?>">
    <input type="hidden" name="contact_id" value="<?php echo $contact_id; ?>">
    <div class="modal-body">

--- a/agent/modals/contact/contact_link_credential.php
+++ b/agent/modals/contact/contact_link_credential.php
@@ -25,6 +25,7 @@ ob_start();
    </button>
 </div>
 <form action="post.php" method="post" autocomplete="off">
+    <input type="hidden" name="csrf_token" value="<?= $_SESSION['csrf_token'] ?>">
    <input type="hidden" name="contact_id" value="<?php echo $contact_id; ?>">
    <div class="modal-body">

--- a/agent/modals/contact/contact_link_document.php
+++ b/agent/modals/contact/contact_link_document.php
@@ -25,6 +25,7 @@ ob_start();
    </button>
 </div>
 <form action="post.php" method="post" autocomplete="off">
+    <input type="hidden" name="csrf_token" value="<?= $_SESSION['csrf_token'] ?>">
    <input type="hidden" name="contact_id" value="<?php echo $contact_id; ?>">
    <div class="modal-body">

--- a/agent/modals/contact/contact_link_file.php
+++ b/agent/modals/contact/contact_link_file.php
@@ -25,6 +25,7 @@ ob_start();
    </button>
 </div>
 <form action="post.php" method="post" autocomplete="off">
+    <input type="hidden" name="csrf_token" value="<?= $_SESSION['csrf_token'] ?>">
    <input type="hidden" name="contact_id" value="<?php echo $contact_id; ?>">
    <div class="modal-body">

--- a/agent/modals/contact/contact_link_service.php
+++ b/agent/modals/contact/contact_link_service.php
@@ -25,6 +25,7 @@ ob_start();
    </button>
 </div>
 <form action="post.php" method="post" autocomplete="off">
+    <input type="hidden" name="csrf_token" value="<?= $_SESSION['csrf_token'] ?>">
    <input type="hidden" name="contact_id" value="<?php echo $contact_id; ?>">
    <div class="modal-body">

--- a/agent/modals/contact/contact_link_software.php
+++ b/agent/modals/contact/contact_link_software.php
@@ -25,6 +25,7 @@ ob_start();
    </button>
 </div>
 <form action="post.php" method="post" autocomplete="off">
+    <input type="hidden" name="csrf_token" value="<?= $_SESSION['csrf_token'] ?>">
    <input type="hidden" name="contact_id" value="<?php echo $contact_id; ?>">
    <div class="modal-body">

--- a/agent/modals/contact/contact_note_add.php
+++ b/agent/modals/contact/contact_note_add.php
@@ -8,8 +8,8 @@ $sql = mysqli_query($mysqli, "SELECT contact_name FROM contacts WHERE contact_id
 $row = mysqli_fetch_assoc($sql);
 $contact_name = nullable_htmlentities($row['contact_name']);

-// Generate the HTML form content using output buffering.
 ob_start();
+
 ?>

 <div class="modal-header bg-dark">
@@ -20,6 +20,7 @@ ob_start();
 </div>

 <form action="post.php" method="post" autocomplete="off">
+    <input type="hidden" name="csrf_token" value="<?= $_SESSION['csrf_token'] ?>">
    <input type="hidden" name="contact_id" value="<?php echo $contact_id; ?>">

    <div class="modal-body">