Check CSRF and Enforce ClientAccess when deactivating Shared Items

2026-06-26 19:50:40 +00:00 · 2026-06-26 12:17:38 -04:00
parent f14fa22222
commit e7b53388a0
2 changed files with 5 additions and 1 deletions
--- a/agent/client_overview.php
+++ b/agent/client_overview.php
@@ -467,7 +467,7 @@ $sql_asset_retired = mysqli_query(
                                </td>
                                <td title="Expires at <?php echo $item_expire_at; ?>">Expires <?php echo $item_expire_at_human ?></td>
                                <td title="Deactivate Link">
-                                    <a class="text-danger confirm-link" href="post.php?deactivate_shared_item=<?php echo $item_id; ?>">
+                                    <a class="text-danger confirm-link" href="post.php?deactivate_shared_item=<?php echo $item_id; ?>&csrf_token=<?= $_SESSION['csrf_token'] ?>">
                                        <i class="fas fa-fw fa-calendar-times mr-2"></i>
                                    </a>
                                </td>
--- a/post/misc.php
+++ b/post/misc.php
@@ -63,6 +63,8 @@ if (isset($_GET['dismiss_all_notifications'])) {
 // Revoke sharing (sharing itself is done via ajax.php)
 if (isset($_GET['deactivate_shared_item'])) {

+    validateCSRFToken($_GET['csrf_token']);
+
    $item_id = intval($_GET['deactivate_shared_item']);

    // Get details of the shared link
@@ -72,6 +74,8 @@ if (isset($_GET['deactivate_shared_item'])) {
    $item_related_id = intval($row['item_related_id']);
    $client_id = intval($row['item_client_id']);

+    enforceClientAccess();
+
    // Deactivate item id
    mysqli_query($mysqli, "DELETE FROM shared_items WHERE item_id = $item_id");