Contacts: Add missing CSRF checks, add missing permission checks, renamed unarchive to restore

agent/contact_details.php

@@ -476,7 +476,7 @@ if (isset($_GET['contact_id'])) {
                                                 </a>
                                                 <div class="dropdown-divider"></div>
                                                 <a class="dropdown-item"
-                                                    href="post.php?unlink_asset_from_contact&contact_id=<?= $contact_id ?>&asset_id=<?= $asset_id ?>"
+                                                    href="post.php?unlink_asset_from_contact&contact_id=<?= $contact_id ?>&asset_id=<?= $asset_id ?>&csrf_token=<?= $_SESSION['csrf_token'] ?>"
                                                     class="btn btn-secondary btn-sm" title="Unlink">
                                                     <i class="fas fa-fw fa-unlink mr-2"></i>Unlink
                                                 </a>
@@ -616,13 +616,13 @@ if (isset($_GET['contact_id'])) {
                                                 </a>
                                                 <div class="dropdown-divider"></div>
                                                 <a class="dropdown-item"
-                                                    href="post.php?unlink_credential_from_contact&contact_id=<?php echo $contact_id; ?>&credential_id=<?php echo $credential_id; ?>"
+                                                    href="post.php?unlink_credential_from_contact&contact_id=<?php echo $contact_id; ?>&credential_id=<?php echo $credential_id; ?>&csrf_token=<?= $_SESSION['csrf_token'] ?>"
                                                     class="btn btn-secondary btn-sm" title="Unlink">
                                                     <i class="fas fa-fw fa-unlink mr-2"></i>Unlink
                                                 </a>
                                                 <?php if ($session_user_role == 3) { ?>
                                                     <div class="dropdown-divider"></div>
-                                                    <a class="dropdown-item text-danger text-bold" href="post.php?delete_credential=<?php echo $credential_id; ?>">
+                                                    <a class="dropdown-item text-danger text-bold" href="post.php?delete_credential=<?php echo $credential_id; ?>&csrf_token=<?= $_SESSION['csrf_token'] ?>">
                                                         <i class="fas fa-fw fa-trash mr-2"></i>Delete
                                                     </a>
                                                 <?php } ?>
@@ -709,7 +709,7 @@ if (isset($_GET['contact_id'])) {
                                     <td><?php echo $software_license_type; ?></td>
                                     <td><?php echo "$seat_count / $software_seats"; ?></td>
                                     <td class="text-center">
-                                        <a href="post.php?unlink_software_from_contact&contact_id=<?php echo $contact_id; ?>&software_id=<?php echo $software_id; ?>" class="btn btn-secondary btn-sm" title="Remove License"><i class="fas fa-fw fa-unlink"></i></a>
+                                        <a href="post.php?unlink_software_from_contact&contact_id=<?php echo $contact_id; ?>&software_id=<?php echo $software_id; ?>&csrf_token=<?= $_SESSION['csrf_token'] ?>" class="btn btn-secondary btn-sm" title="Remove License"><i class="fas fa-fw fa-unlink"></i></a>
                                     </td>
                                 </tr>
 
@@ -778,7 +778,7 @@ if (isset($_GET['contact_id'])) {
                                                 <?php
                                                 if ($session_user_role == 3) { ?>
                                                 <div class="dropdown-divider"></div>
-                                                <a class="dropdown-item text-danger text-bold confirm-link" href="post.php?delete_recurring_ticket=<?php echo $recurring_ticket_id; ?>">
+                                                <a class="dropdown-item text-danger text-bold confirm-link" href="post.php?delete_recurring_ticket=<?php echo $recurring_ticket_id; ?>&csrf_token=<?= $_SESSION['csrf_token'] ?>">
                                                     <i class="fas fa-fw fa-trash mr-2"></i>Delete
                                                 </a>
                                             </div>
@@ -931,7 +931,7 @@ if (isset($_GET['contact_id'])) {
                                     <td><?php echo $service_category; ?></td>
                                     <td><?php echo $service_importance; ?></td>
                                     <td class="text-center">
-                                        <a href="post.php?unlink_service_from_contact&contact_id=<?php echo $contact_id; ?>&service_id=<?php echo $service_id; ?>" class="btn btn-secondary btn-sm" title="Unlink"><i class="fas fa-fw fa-unlink"></i></a>
+                                        <a href="post.php?unlink_service_from_contact&contact_id=<?php echo $contact_id; ?>&service_id=<?php echo $service_id; ?>&csrf_token=<?= $_SESSION['csrf_token'] ?>" class="btn btn-secondary btn-sm" title="Unlink"><i class="fas fa-fw fa-unlink"></i></a>
                                     </td>
                                 </tr>
 
@@ -997,7 +997,7 @@ if (isset($_GET['contact_id'])) {
                                             data-modal-url="modals/document/document_view.php?id=<?= $document_id ?>">
                                             <i class="fas fa-fw fa-eye"></i>
                                         </a>
-                                        <a href="post.php?unlink_contact_from_document&contact_id=<?php echo $contact_id; ?>&document_id=<?php echo $document_id; ?>" class="btn btn-secondary btn-sm" title="Unlink"><i class="fas fa-fw fa-unlink"></i></a>
+                                        <a href="post.php?unlink_contact_from_document&contact_id=<?php echo $contact_id; ?>&document_id=<?php echo $document_id; ?>&csrf_token=<?= $_SESSION['csrf_token'] ?>" class="btn btn-secondary btn-sm" title="Unlink"><i class="fas fa-fw fa-unlink"></i></a>
                                     </td>
                                 </tr>
 
@@ -1060,7 +1060,7 @@ if (isset($_GET['contact_id'])) {
                                     <td><?php echo $file_size_KB; ?> KB</td>
                                     <td><?php echo $file_created_at; ?></td>
                                     <td class="text-center">
-                                        <a href="post.php?unlink_contact_from_file&contact_id=<?php echo $contact_id; ?>&file_id=<?php echo $file_id; ?>" class="btn btn-secondary btn-sm" title="Unlink"><i class="fas fa-fw fa-unlink"></i></a>
+                                        <a href="post.php?unlink_contact_from_file&contact_id=<?php echo $contact_id; ?>&file_id=<?php echo $file_id; ?>&csrf_token=<?= $_SESSION['csrf_token'] ?>" class="btn btn-secondary btn-sm" title="Unlink"><i class="fas fa-fw fa-unlink"></i></a>
                                     </td>
                                 </tr>
 
@@ -1124,12 +1124,12 @@ if (isset($_GET['contact_id'])) {
                                                 <i class="fas fa-ellipsis-h"></i>
                                             </button>
                                             <div class="dropdown-menu">
-                                                <a class="dropdown-item text-danger" href="post.php?archive_contact_note=<?php echo $contact_note_id; ?>">
+                                                <a class="dropdown-item text-danger" href="post.php?archive_contact_note=<?php echo $contact_note_id; ?>&csrf_token=<?= $_SESSION['csrf_token'] ?>">
                                                     <i class="fas fa-fw fa-archive mr-2"></i>Archive
                                                 </a>
                                                 <?php if ($session_user_role == 3) { ?>
                                                     <div class="dropdown-divider"></div>
-                                                    <a class="dropdown-item text-danger text-bold" href="post.php?delete_contact_note=<?php echo $contact_note_id; ?>">
+                                                    <a class="dropdown-item text-danger text-bold" href="post.php?delete_contact_note=<?php echo $contact_note_id; ?>&csrf_token=<?= $_SESSION['csrf_token'] ?>">
                                                         <i class="fas fa-fw fa-trash mr-2"></i>Delete
                                                     </a>
                                                 <?php } ?>

agent/contacts.php

@@ -262,8 +262,8 @@ $num_rows = mysqli_fetch_row(mysqli_query($mysqli, "SELECT FOUND_ROWS()"));
                                 <?php if ($archived) { ?>
                                 <div class="dropdown-divider"></div>
                                 <button class="dropdown-item text-info"
-                                    type="submit" form="bulkActions" name="bulk_unarchive_contacts">
+                                    type="submit" form="bulkActions" name="bulk_restore_contacts">
-                                    <i class="fas fa-fw fa-redo mr-2"></i>Unarchive
+                                    <i class="fas fa-fw fa-redo mr-2"></i>Restore
                                 </button>
                                 <div class="dropdown-divider"></div>
                                 <button class="dropdown-item text-danger text-bold"
@@ -526,23 +526,23 @@ $num_rows = mysqli_fetch_row(mysqli_query($mysqli, "SELECT FOUND_ROWS()"));
                                         <?php if ($session_user_role == 3 && $contact_primary == 0) { ?>
                                             <?php if ($contact_archived_at) { ?>
                                             <div class="dropdown-divider"></div>
-                                            <a class="dropdown-item text-info confirm-link" href="post.php?unarchive_contact=<?php echo $contact_id; ?>">
+                                            <a class="dropdown-item text-info confirm-link" href="post.php?restore_contact=<?= $contact_id ?>&csrf_token=<?= $_SESSION['csrf_token'] ?>">
-                                                <i class="fas fa-fw fa-redo mr-2"></i>Unarchive
+                                                <i class="fas fa-fw fa-redo mr-2"></i>Restore
                                             </a>
                                             <?php } else { ?>
                                             <div class="dropdown-divider"></div>
-                                            <a class="dropdown-item text-danger confirm-link" href="post.php?archive_contact=<?php echo $contact_id; ?>">
+                                            <a class="dropdown-item text-danger confirm-link" href="post.php?archive_contact=<?= $contact_id ?>&csrf_token=<?= $_SESSION['csrf_token'] ?>">
                                                 <i class="fas fa-fw fa-archive mr-2"></i>Archive
                                             </a>
                                             <div class="dropdown-divider"></div>
-                                            <a class="dropdown-item text-danger confirm-link" href="post.php?anonymize_contact=<?php echo $contact_id; ?>">
+                                            <a class="dropdown-item text-danger confirm-link" href="post.php?anonymize_contact=<?= $contact_id ?>&csrf_token=<?= $_SESSION['csrf_token'] ?>">
                                                 <i class="fas fa-fw fa-user-secret mr-2"></i>Anonymize & Archive
                                             </a>
                                             <?php } ?>
 
                                             <?php if ($config_destructive_deletes_enable) { ?>
                                             <div class="dropdown-divider"></div>
-                                            <a class="dropdown-item text-danger text-bold confirm-link" href="post.php?delete_contact=<?php echo $contact_id; ?>">
+                                            <a class="dropdown-item text-danger text-bold confirm-link" href="post.php?delete_contact=<?= $contact_id ?>&csrf_token=<?= $_SESSION['csrf_token'] ?>">
                                                 <i class="fas fa-fw fa-trash mr-2"></i>Delete
                                             </a>
                                             <?php } ?>

agent/modals/contact/contact_add.php

@@ -23,6 +23,8 @@ ob_start();
     </button>
 </div>
 <form action="post.php" method="post" enctype="multipart/form-data" autocomplete="off">
+    <input type="hidden" name="csrf_token" value="<?= $_SESSION['csrf_token'] ?>">
+
     <div class="modal-body">
 
         <ul class="nav nav-pills nav-justified mb-3">

agent/modals/contact/contact_archive.php

@@ -8,6 +8,7 @@
                 </button>
             </div>
             <form action="post.php" method="post" autocomplete="off">
+                <input type="hidden" name="csrf_token" value="<?= $_SESSION['csrf_token'] ?>">
                 <input type="hidden" name="contact_id" value="<?php echo $contact_id; ?>">
                 <div class="modal-body">
 
@@ -23,7 +24,7 @@
                             <label class="custom-control-label" for="unassignAssetsCheckbox<?php echo $contact_id; ?>">Assets</label>
                         </div>
                     </div>
-                
+
                     <div class="form-group">
                         <div class="custom-control custom-checkbox">
                             <input type="checkbox" class="custom-control-input" id="unassignLicensesCheckbox<?php echo $contact_id; ?>" name="unassign_licenses" value="1">
@@ -44,7 +45,7 @@
                             <label class="custom-control-label" for="anonymizeCheckbox<?php echo $contact_id; ?>">Anonymize Contact</label>
                         </div>
                     </div>
-                
+
                 </div>
                 <div class="modal-footer">
                     <button type="submit" name="archive_contact" class="btn btn-danger text-bold"><i class="fas fa-check mr-2"></i>Arhive</button>
@@ -53,4 +54,4 @@
             </form>
         </div>
     </div>
-</div>
+</div>

agent/modals/contact/contact_edit.php

@@ -53,6 +53,7 @@ ob_start();
     </button>
 </div>
 <form action="post.php" method="post" enctype="multipart/form-data" autocomplete="off">
+    <input type="hidden" name="csrf_token" value="<?= $_SESSION['csrf_token'] ?>">
     <input type="hidden" name="contact_id" value="<?php echo $contact_id; ?>">
     <input type="hidden" name="client_id" value="<?php echo $client_id; ?>">
     <div class="modal-body">

agent/modals/contact/contact_export.php

@@ -15,6 +15,7 @@ ob_start();
     </button>
 </div>
 <form action="post.php" method="post" autocomplete="off">
+    <input type="hidden" name="csrf_token" value="<?= $_SESSION['csrf_token'] ?>">
     <input type="hidden" name="client_id" value="<?= $client_id ?>">
 
     <div class="modal-body">

agent/modals/contact/contact_import.php

@@ -15,6 +15,7 @@ ob_start();
     </button>
 </div>
 <form action="post.php" method="post" enctype="multipart/form-data" autocomplete="off">
+    <input type="hidden" name="csrf_token" value="<?= $_SESSION['csrf_token'] ?>">
     <input type="hidden" name="client_id" value="<?= $client_id ?>">
     <div class="modal-body">
         <p><strong>Format csv file with headings & data:</strong><br>Name, Title, Department, Email, Phone, Extension, Mobile, Location</p>

agent/modals/contact/contact_invite.php

@@ -9,6 +9,7 @@
             </div>
 
             <form action="post.php" method="post" enctype="multipart/form-data" autocomplete="off">
+                <input type="hidden" name="csrf_token" value="<?= $_SESSION['csrf_token'] ?>">
                 <input type="hidden" name="client_id" value="<?php echo $client_id; ?>">
 
                 <div class="modal-body">
@@ -81,4 +82,4 @@
 
         </div>
     </div>
-</div>
+</div>

agent/modals/contact/contact_link_asset.php

@@ -13,7 +13,6 @@ $row = mysqli_fetch_assoc($sql);
 $contact_name = nullable_htmlentities($row['contact_name']);
 $client_id = intval($row['contact_client_id']);
 
-// Generate the HTML form content using output buffering.
 ob_start();
 
 ?>
@@ -25,6 +24,7 @@ ob_start();
     </button>
 </div>
 <form action="post.php" method="post" autocomplete="off">
+    <input type="hidden" name="csrf_token" value="<?= $_SESSION['csrf_token'] ?>">
     <input type="hidden" name="contact_id" value="<?php echo $contact_id; ?>">
     <div class="modal-body">
 

agent/modals/contact/contact_link_credential.php

@@ -25,6 +25,7 @@ ob_start();
     </button>
 </div>
 <form action="post.php" method="post" autocomplete="off">
+    <input type="hidden" name="csrf_token" value="<?= $_SESSION['csrf_token'] ?>">
     <input type="hidden" name="contact_id" value="<?php echo $contact_id; ?>">
     <div class="modal-body">
 

agent/modals/contact/contact_link_document.php

@@ -25,6 +25,7 @@ ob_start();
     </button>
 </div>
 <form action="post.php" method="post" autocomplete="off">
+    <input type="hidden" name="csrf_token" value="<?= $_SESSION['csrf_token'] ?>">
     <input type="hidden" name="contact_id" value="<?php echo $contact_id; ?>">
     <div class="modal-body">
 

agent/modals/contact/contact_link_file.php

@@ -25,6 +25,7 @@ ob_start();
     </button>
 </div>
 <form action="post.php" method="post" autocomplete="off">
+    <input type="hidden" name="csrf_token" value="<?= $_SESSION['csrf_token'] ?>">
     <input type="hidden" name="contact_id" value="<?php echo $contact_id; ?>">
     <div class="modal-body">
 

agent/modals/contact/contact_link_service.php

@@ -25,6 +25,7 @@ ob_start();
     </button>
 </div>
 <form action="post.php" method="post" autocomplete="off">
+    <input type="hidden" name="csrf_token" value="<?= $_SESSION['csrf_token'] ?>">
     <input type="hidden" name="contact_id" value="<?php echo $contact_id; ?>">
     <div class="modal-body">
 

agent/modals/contact/contact_link_software.php

@@ -25,6 +25,7 @@ ob_start();
     </button>
 </div>
 <form action="post.php" method="post" autocomplete="off">
+    <input type="hidden" name="csrf_token" value="<?= $_SESSION['csrf_token'] ?>">
     <input type="hidden" name="contact_id" value="<?php echo $contact_id; ?>">
     <div class="modal-body">
 

agent/modals/contact/contact_note_add.php

@@ -8,8 +8,8 @@ $sql = mysqli_query($mysqli, "SELECT contact_name FROM contacts WHERE contact_id
 $row = mysqli_fetch_assoc($sql);
 $contact_name = nullable_htmlentities($row['contact_name']);
 
-// Generate the HTML form content using output buffering.
 ob_start();
+
 ?>
 
 <div class="modal-header bg-dark">
@@ -20,6 +20,7 @@ ob_start();
 </div>
 
 <form action="post.php" method="post" autocomplete="off">
+    <input type="hidden" name="csrf_token" value="<?= $_SESSION['csrf_token'] ?>">
     <input type="hidden" name="contact_id" value="<?php echo $contact_id; ?>">
 
     <div class="modal-body">

agent/post/contact.php

@@ -8,6 +8,8 @@ defined('FROM_POST_HANDLER') || die("Direct file access is not allowed");
 
 if (isset($_POST['add_contact'])) {
 
+    validateCSRFToken($_POST['csrf_token']);
+
     enforceUserPermission('module_client', 2);
 
     require_once 'contact_model.php';
@@ -78,6 +80,8 @@ if (isset($_POST['add_contact'])) {
 
 if (isset($_POST['edit_contact'])) {
 
+    validateCSRFToken($_POST['csrf_token']);
+
     enforceUserPermission('module_client', 2);
 
     require_once 'contact_model.php';
@@ -218,6 +222,8 @@ if (isset($_POST['edit_contact'])) {
 
 if (isset($_POST['add_contact_note'])) {
 
+    validateCSRFToken($_POST['csrf_token']);
+
     enforceUserPermission('module_client', 2);
 
     $contact_id = intval($_POST['contact_id']);
@@ -245,6 +251,8 @@ if (isset($_POST['add_contact_note'])) {
 
 if (isset($_GET['archive_contact_note'])) {
 
+    validateCSRFToken($_GET['csrf_token']);
+
     enforceUserPermission('module_client', 2);
 
     $contact_note_id = intval($_GET['archive_contact_note']);
@@ -267,7 +275,9 @@ if (isset($_GET['archive_contact_note'])) {
 
 }
 
-if (isset($_GET['unarchive_contact_note'])) {
+if (isset($_GET['restore_contact_note'])) {
+
+    validateCSRFToken($_GET['csrf_token']);
 
     enforceUserPermission('module_client', 2);
 
@@ -293,6 +303,8 @@ if (isset($_GET['unarchive_contact_note'])) {
 
 if (isset($_GET['delete_contact_note'])) {
 
+    validateCSRFToken($_GET['csrf_token']);
+
     enforceUserPermission('module_client', 3);
 
     $contact_note_id = intval($_GET['delete_contact_note']);
@@ -317,6 +329,8 @@ if (isset($_GET['delete_contact_note'])) {
 
 if (isset($_POST['bulk_assign_contact_location'])) {
 
+    validateCSRFToken($_POST['csrf_token']);
+
     enforceUserPermission('module_client', 2);
 
     $location_id = intval($_POST['bulk_location_id']);
@@ -358,6 +372,8 @@ if (isset($_POST['bulk_assign_contact_location'])) {
 
 if (isset($_POST['bulk_edit_contact_phone'])) {
 
+    validateCSRFToken($_POST['csrf_token']);
+
     enforceUserPermission('module_client', 2);
 
     $phone = preg_replace("/[^0-9]/", '', $_POST['bulk_phone']);
@@ -394,6 +410,8 @@ if (isset($_POST['bulk_edit_contact_phone'])) {
 
 if (isset($_POST['bulk_edit_contact_department'])) {
 
+    validateCSRFToken($_POST['csrf_token']);
+
     enforceUserPermission('module_client', 2);
 
     $department = sanitizeInput($_POST['bulk_department']);
@@ -430,6 +448,8 @@ if (isset($_POST['bulk_edit_contact_department'])) {
 
 if (isset($_POST['bulk_edit_contact_role'])) {
 
+    validateCSRFToken($_POST['csrf_token']);
+
     enforceUserPermission('module_client', 2);
 
     $contact_important = intval($_POST['bulk_contact_important']);
@@ -470,6 +490,8 @@ if (isset($_POST['bulk_edit_contact_role'])) {
 
 if (isset($_POST['bulk_assign_contact_tags'])) {
 
+    validateCSRFToken($_POST['csrf_token']);
+
     enforceUserPermission('module_client', 2);
 
     // Assign Location to Selected Contacts
@@ -519,6 +541,10 @@ if (isset($_POST['bulk_assign_contact_tags'])) {
 
 if (isset($_POST['send_bulk_mail_now'])) {
 
+    validateCSRFToken($_POST['csrf_token']);
+
+    enforceUserPermission('module_client');
+
     if (isset($_POST['contact_ids'])) {
 
         $count = count($_POST['contact_ids']);
@@ -564,9 +590,9 @@ if (isset($_POST['send_bulk_mail_now'])) {
 
 if (isset($_POST['bulk_archive_contacts'])) {
 
-    enforceUserPermission('module_client', 2);
+    validateCSRFToken($_POST['csrf_token']);
 
-    //validateCSRFToken($_POST['csrf_token']);
+    enforceUserPermission('module_client', 2);
 
     if (isset($_POST['contact_ids'])) {
 
@@ -611,10 +637,11 @@ if (isset($_POST['bulk_archive_contacts'])) {
     redirect();
 }
 
-if (isset($_POST['bulk_unarchive_contacts'])) {
+if (isset($_POST['bulk_restore_contacts'])) {
+
+    validateCSRFToken($_POST['csrf_token']);
 
     enforceUserPermission('module_client', 2);
-    //validateCSRFToken($_POST['csrf_token']);
 
     if (isset($_POST['contact_ids'])) {
 
@@ -699,6 +726,8 @@ if (isset($_POST['bulk_delete_contacts'])) {
 
 if (isset($_GET['anonymize_contact'])) {
 
+    validateCSRFToken($_GET['csrf_token']);
+
     enforceUserPermission('module_client', 3);
 
     $contact_id = intval($_GET['anonymize_contact']);
@@ -803,6 +832,8 @@ if (isset($_GET['anonymize_contact'])) {
 
 if (isset($_GET['archive_contact'])) {
 
+    validateCSRFToken($_GET['csrf_token']);
+
     enforceUserPermission('module_client', 2);
 
     $contact_id = intval($_GET['archive_contact']);
@@ -829,11 +860,13 @@ if (isset($_GET['archive_contact'])) {
 
 }
 
-if (isset($_GET['unarchive_contact'])) {
+if (isset($_GET['restore_contact'])) {
 
-    validateAdminRole();
+    validateCSRFToken($_GET['csrf_token']);
 
-    $contact_id = intval($_GET['unarchive_contact']);
+    enforceUserPermission('module_client', 2);
+
+    $contact_id = intval($_GET['restore_contact']);
 
     // Get Contact Name and Client ID for logging and alert message
     $sql = mysqli_query($mysqli,"SELECT contact_name, contact_client_id, contact_user_id FROM contacts WHERE contact_id = $contact_id");
@@ -849,9 +882,9 @@ if (isset($_GET['unarchive_contact'])) {
 
     mysqli_query($mysqli,"UPDATE contacts SET contact_archived_at = NULL WHERE contact_id = $contact_id");
 
-    logAction("Contact", "Unarchive", "$session_name unarchived contact $contact_name", $client_id, $contact_id);
+    logAction("Contact", "Restore", "$session_name restored contact $contact_name", $client_id, $contact_id);
 
-    flash_alert("Contact <strong>$contact_name</strong> has been Unarchived");
+    flash_alert("Contact <strong>$contact_name</strong> Restored");
 
     redirect();
 
@@ -859,6 +892,8 @@ if (isset($_GET['unarchive_contact'])) {
 
 if (isset($_GET['delete_contact'])) {
 
+    validateCSRFToken($_GET['csrf_token']);
+
     enforceUserPermission('module_client', 3);
 
     $contact_id = intval($_GET['delete_contact']);
@@ -887,7 +922,9 @@ if (isset($_GET['delete_contact'])) {
 
 if (isset($_POST['link_contact_to_asset'])) {
 
-    enforceUserPermission('module_support', 2);
+    validateCSRFToken($_POST['csrf_token']);
+
+    enforceUserPermission('module_client', 2);
 
     $asset_id = intval($_POST['asset_id']);
     $contact_id = intval($_POST['contact_id']);
@@ -913,7 +950,9 @@ if (isset($_POST['link_contact_to_asset'])) {
 
 if (isset($_GET['unlink_asset_from_contact'])) {
 
-    enforceUserPermission('module_support', 2);
+    validateCSRFToken($_POST['csrf_token']);
+
+    enforceUserPermission('module_client', 2);
 
     $contact_id = intval($_GET['contact_id']);
     $asset_id = intval($_GET['asset_id']);
@@ -939,7 +978,9 @@ if (isset($_GET['unlink_asset_from_contact'])) {
 
 if (isset($_POST['link_software_to_contact'])) {
 
-    enforceUserPermission('module_support', 2);
+    validateCSRFToken($_POST['csrf_token']);
+
+    enforceUserPermission('module_client', 2);
 
     $software_id = intval($_POST['software_id']);
     $contact_id = intval($_POST['contact_id']);
@@ -965,7 +1006,9 @@ if (isset($_POST['link_software_to_contact'])) {
 
 if (isset($_GET['unlink_software_from_contact'])) {
 
-    enforceUserPermission('module_support', 2);
+    validateCSRFToken($_POST['csrf_token']);
+
+    enforceUserPermission('module_client', 2);
 
     $contact_id = intval($_GET['contact_id']);
     $software_id = intval($_GET['software_id']);
@@ -991,7 +1034,9 @@ if (isset($_GET['unlink_software_from_contact'])) {
 
 if (isset($_POST['link_contact_to_credential'])) {
 
-    enforceUserPermission('module_support', 2);
+    validateCSRFToken($_POST['csrf_token']);
+
+    enforceUserPermission('module_client', 2);
 
     $credential_id = intval($_POST['credential_id']);
     $contact_id = intval($_POST['contact_id']);
@@ -1017,7 +1062,9 @@ if (isset($_POST['link_contact_to_credential'])) {
 
 if (isset($_GET['unlink_credential_from_contact'])) {
 
-    enforceUserPermission('module_support', 2);
+    validateCSRFToken($_GET['csrf_token']);
+
+    enforceUserPermission('module_client', 2);
 
     $contact_id = intval($_GET['contact_id']);
     $credential_id = intval($_GET['credential_id']);
@@ -1043,7 +1090,9 @@ if (isset($_GET['unlink_credential_from_contact'])) {
 
 if (isset($_POST['link_service_to_contact'])) {
 
-    enforceUserPermission('module_support', 2);
+    validateCSRFToken($_POST['csrf_token']);
+
+    enforceUserPermission('module_client', 2);
 
     $service_id = intval($_POST['service_id']);
     $contact_id = intval($_POST['contact_id']);
@@ -1069,7 +1118,9 @@ if (isset($_POST['link_service_to_contact'])) {
 
 if (isset($_GET['unlink_service_from_contact'])) {
 
-    enforceUserPermission('module_support', 2);
+    validateCSRFToken($_GET['csrf_token']);
+
+    enforceUserPermission('module_client', 2);
 
     $contact_id = intval($_GET['contact_id']);
     $service_id = intval($_GET['service_id']);
@@ -1095,7 +1146,9 @@ if (isset($_GET['unlink_service_from_contact'])) {
 
 if (isset($_POST['link_contact_to_file'])) {
 
-    enforceUserPermission('module_support', 2);
+    validateCSRFToken($_POST['csrf_token']);
+
+    enforceUserPermission('module_client', 2);
 
     $file_id = intval($_POST['file_id']);
     $contact_id = intval($_POST['contact_id']);
@@ -1122,7 +1175,9 @@ if (isset($_POST['link_contact_to_file'])) {
 
 if (isset($_GET['unlink_contact_from_file'])) {
 
-    enforceUserPermission('module_support', 2);
+    validateCSRFToken($_GET['csrf_token']);
+
+    enforceUserPermission('module_client', 2);
 
     $contact_id = intval($_GET['contact_id']);
     $file_id = intval($_GET['file_id']);
@@ -1148,6 +1203,8 @@ if (isset($_GET['unlink_contact_from_file'])) {
 
 if (isset($_POST['export_contacts_csv'])) {
 
+    validateCSRFToken($_POST['csrf_token']);
+
     enforceUserPermission('module_client');
 
     if ($_POST['client_id']) {
@@ -1204,6 +1261,8 @@ if (isset($_POST['export_contacts_csv'])) {
 
 if (isset($_POST["import_contacts_csv"])) {
 
+    validateCSRFToken($_POST['csrf_token']);
+
     enforceUserPermission('module_client', 2);
 
     $client_id = intval($_POST['client_id']);