AS1024/itflow
1
0
Fork 0
mirror of https://github.com/itflow-org/itflow synced 2026-03-11 00:04:50 +00:00
Code Issues Packages Projects Releases Wiki Activity

Calendar: Add missing CSRF checks

Browse Source
This commit is contained in:
johnnyq
2026-03-01 21:52:28 -05:00
parent 308dc6e550
commit e1daa14087
5 changed files with 17 additions and 1 deletions
Download Patch File Download Diff File Expand all files Collapse all files

3
agent/modals/calendar/calendar_add.php
View File

@@ -12,6 +12,9 @@ ob_start();
</button> </button>
</div> </div>
<form action="post.php" method="post" autocomplete="off"> <form action="post.php" method="post" autocomplete="off">
<input type="hidden" name="csrf_token" value="<?= $_SESSION['csrf_token'] ?>">
<div class="modal-body"> <div class="modal-body">
<div class="form-group"> <div class="form-group">

1
agent/modals/calendar/calendar_edit.php
View File

@@ -21,6 +21,7 @@ ob_start();
</button> </button>
</div> </div>
<form action="post.php" method="post" autocomplete="off"> <form action="post.php" method="post" autocomplete="off">
<input type="hidden" name="csrf_token" value="<?= $_SESSION['csrf_token'] ?>">
<input type="hidden" name="calendar_id" value="<?php echo $calendar_id; ?>"> <input type="hidden" name="calendar_id" value="<?php echo $calendar_id; ?>">
<div class="modal-body"> <div class="modal-body">

1
agent/modals/calendar/calendar_event_add.php
View File

@@ -8,6 +8,7 @@
</button> </button>
</div> </div>
<form action="post.php" method="post" autocomplete="off"> <form action="post.php" method="post" autocomplete="off">
<input type="hidden" name="csrf_token" value="<?= $_SESSION['csrf_token'] ?>">
<div class="modal-body"> <div class="modal-body">
<ul class="nav nav-pills nav-justified mb-3"> <ul class="nav nav-pills nav-justified mb-3">

3
agent/modals/calendar/calendar_event_edit.php
View File

@@ -29,6 +29,7 @@ ob_start();
</div> </div>
<form action="post.php" method="post" autocomplete="off"> <form action="post.php" method="post" autocomplete="off">
<input type="hidden" name="csrf_token" value="<?= $_SESSION['csrf_token'] ?>">
<input type="hidden" name="event_id" value="<?php echo $event_id; ?>"> <input type="hidden" name="event_id" value="<?php echo $event_id; ?>">
<div class="modal-body"> <div class="modal-body">
@@ -184,7 +185,7 @@ ob_start();
</div> </div>
<div class="modal-footer"> <div class="modal-footer">
<a class="btn btn-default text-danger mr-auto" href="post.php?delete_event=<?php echo $event_id; ?>"><i class="fa fa-calendar-times mr-2"></i>Delete</a> <a class="btn btn-default text-danger mr-auto" href="post.php?delete_event=<?= $event_id ?>&csrf_token=<?= $_SESSION['csrf_token'] ?>"><i class="fa fa-calendar-times mr-2"></i>Delete</a>
<button type="submit" name="edit_event" class="btn btn-primary text-bold"><i class="fa fa-check mr-2"></i>Save</button> <button type="submit" name="edit_event" class="btn btn-primary text-bold"><i class="fa fa-check mr-2"></i>Save</button>
<button type="button" class="btn btn-light" data-dismiss="modal"><i class="fa fa-times mr-2"></i>Cancel</button> <button type="button" class="btn btn-light" data-dismiss="modal"><i class="fa fa-times mr-2"></i>Cancel</button>
</div> </div>

10
agent/post/event.php
View File

@@ -8,6 +8,8 @@ defined('FROM_POST_HANDLER') || die("Direct file access is not allowed");
if (isset($_POST['add_calendar'])) { if (isset($_POST['add_calendar'])) {
validateCSRFToken($_POST['csrf_token']);
$name = sanitizeInput($_POST['name']); $name = sanitizeInput($_POST['name']);
$color = sanitizeInput($_POST['color']); $color = sanitizeInput($_POST['color']);
@@ -25,6 +27,8 @@ if (isset($_POST['add_calendar'])) {
if (isset($_POST['edit_calendar'])) { if (isset($_POST['edit_calendar'])) {
validateCSRFToken($_POST['csrf_token']);
$calendar_id = intval($_POST['calendar_id']); $calendar_id = intval($_POST['calendar_id']);
$name = sanitizeInput($_POST['name']); $name = sanitizeInput($_POST['name']);
$color = sanitizeInput($_POST['color']); $color = sanitizeInput($_POST['color']);
@@ -41,6 +45,8 @@ if (isset($_POST['edit_calendar'])) {
if (isset($_POST['add_event'])) { if (isset($_POST['add_event'])) {
validateCSRFToken($_POST['csrf_token']);
require_once 'event_model.php'; require_once 'event_model.php';
mysqli_query($mysqli,"INSERT INTO calendar_events SET event_title = '$title', event_location = '$location', event_description = '$description', event_start = '$start', event_end = '$end', event_repeat = '$repeat', event_calendar_id = $calendar_id, event_client_id = $client"); mysqli_query($mysqli,"INSERT INTO calendar_events SET event_title = '$title', event_location = '$location', event_description = '$description', event_start = '$start', event_end = '$end', event_repeat = '$repeat', event_calendar_id = $calendar_id, event_client_id = $client");
@@ -111,6 +117,8 @@ if (isset($_POST['add_event'])) {
if (isset($_POST['edit_event'])) { if (isset($_POST['edit_event'])) {
validateCSRFToken($_POST['csrf_token']);
require_once 'event_model.php'; require_once 'event_model.php';
$event_id = intval($_POST['event_id']); $event_id = intval($_POST['event_id']);
@@ -178,6 +186,8 @@ if (isset($_POST['edit_event'])) {
if (isset($_GET['delete_event'])) { if (isset($_GET['delete_event'])) {
validateCSRFToken($_GET['csrf_token']);
$event_id = intval($_GET['delete_event']); $event_id = intval($_GET['delete_event']);
// Get Event Title // Get Event Title