AS1024/itflow
1
0
Fork 0
mirror of https://github.com/itflow-org/itflow synced 2026-03-11 00:04:50 +00:00
Code Issues Packages Projects Releases Wiki Activity

racks: Add missing CSRF checks rename unarchive to restore

Browse Source
This commit is contained in:
johnnyq
2026-03-02 20:22:36 -05:00
parent 8bac4f9e53
commit e7b5e7120a
5 changed files with 27 additions and 11 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
agent/modals/rack/rack_add.php
View File

@@ -15,7 +15,7 @@ ob_start();
</div>
<form action="post.php" method="post" enctype="multipart/form-data" autocomplete="off">
<input type="hidden" name="csrf_token" value="<?= $_SESSION['csrf_token'] ?>">
<input type="hidden" name="client_id" value="<?php echo $client_id; ?>">
<div class="modal-body">

2
agent/modals/rack/rack_device_add.php
View File

@@ -21,7 +21,7 @@ ob_start();
</div>
<form action="post.php" method="post" enctype="multipart/form-data" autocomplete="off">
<input type="hidden" name="csrf_token" value="<?= $_SESSION['csrf_token'] ?>">
<input type="hidden" name="client_id" value="<?php echo $client_id; ?>">
<input type="hidden" name="rack_id" value="<?php echo $rack_id; ?>">

2
agent/modals/rack/rack_edit.php
View File

@@ -31,7 +31,7 @@ ob_start();
</div>
<form action="post.php" method="post" enctype="multipart/form-data" autocomplete="off">
<input type="hidden" name="csrf_token" value="<?= $_SESSION['csrf_token'] ?>">
<input type="hidden" name="rack_id" value="<?php echo $rack_id; ?>">
<input type="hidden" name="client_id" value="<?php echo $client_id; ?>">

24
agent/post/rack.php
View File

@@ -8,6 +8,8 @@ defined('FROM_POST_HANDLER') || die("Direct file access is not allowed");
if (isset($_POST['add_rack'])) {
validateCSRFToken($_POST['csrf_token']);
enforceUserPermission('module_support', 2);
$client_id = intval($_POST['client_id']);
@@ -51,6 +53,8 @@ if (isset($_POST['add_rack'])) {
if (isset($_POST['edit_rack'])) {
validateCSRFToken($_POST['csrf_token']);
enforceUserPermission('module_support', 2);
$rack_id = intval($_POST['rack_id']);
@@ -93,6 +97,8 @@ if (isset($_POST['edit_rack'])) {
if (isset($_GET['archive_rack'])) {
validateCSRFToken($_GET['csrf_token']);
enforceUserPermission('module_support', 2);
$rack_id = intval($_GET['archive_rack']);
@@ -113,11 +119,13 @@ if (isset($_GET['archive_rack'])) {
}
if (isset($_GET['unarchive_rack'])) {
if (isset($_GET['restore_rack'])) {
validateCSRFToken($_GET['csrf_token']);
enforceUserPermission('module_support', 2);
$rack_id = intval($_GET['unarchive_rack']);
$rack_id = intval($_GET['restore_rack']);
// Get Name and Client ID for logging and alert message
$sql = mysqli_query($mysqli,"SELECT rack_name, rack_client_id FROM racks WHERE rack_id = $rack_id");
@@ -127,9 +135,9 @@ if (isset($_GET['unarchive_rack'])) {
mysqli_query($mysqli,"UPDATE racks SET rack_archived_at = NULL WHERE rack_id = $rack_id");
logAction("Rack", "Unarchive", "$session_name unarchived rack $rack_name", $client_id, $rack_id);
logAction("Rack", "Restore", "$session_name restored rack $rack_name", $client_id, $rack_id);
flash_alert("Rack <strong>$rack_name</strong> Unarchived");
flash_alert("Rack <strong>$rack_name</strong> Restored");
redirect();
@@ -137,6 +145,8 @@ if (isset($_GET['unarchive_rack'])) {
if (isset($_GET['delete_rack'])) {
validateCSRFToken($_GET['csrf_token']);
enforceUserPermission('module_support', 3);
$rack_id = intval($_GET['delete_rack']);
@@ -165,6 +175,8 @@ if (isset($_GET['delete_rack'])) {
if (isset($_POST['add_rack_unit'])) {
validateCSRFToken($_POST['csrf_token']);
enforceUserPermission('module_support', 2);
$client_id = intval($_POST['client_id']);
@@ -210,6 +222,8 @@ if (isset($_POST['add_rack_unit'])) {
if (isset($_POST['edit_rack_unit'])) {
validateCSRFToken($_POST['csrf_token']);
enforceUserPermission('module_support', 2);
$unit_id = intval($_POST['unit_id']);
@@ -238,6 +252,8 @@ if (isset($_POST['edit_rack_unit'])) {
if (isset($_GET['remove_rack_unit'])) {
validateCSRFToken($_POST['csrf_token']);
enforceUserPermission('module_support', 2);
$unit_id = intval($_GET['remove_rack_unit']);

8
agent/racks.php
View File

@@ -109,11 +109,11 @@ $num_rows = mysqli_fetch_row(mysqli_query($mysqli, "SELECT FOUND_ROWS()"));
</a>
<?php if ($session_user_role == 3) { ?>
<div class="dropdown-divider"></div>
<a class="dropdown-item text-danger confirm-link" href="post.php?archive_rack=<?php echo $rack_id; ?>">
<a class="dropdown-item text-danger confirm-link" href="post.php?archive_rack=<?php echo $rack_id; ?>&csrf_token=<?= $_SESSION['csrf_token'] ?>">
<i class="fas fa-fw fa-archive mr-2"></i>Archive
</a>
<div class="dropdown-divider"></div>
<a class="dropdown-item text-danger text-bold confirm-link" href="post.php?delete_rack=<?php echo $rack_id; ?>">
<a class="dropdown-item text-danger text-bold confirm-link" href="post.php?delete_rack=<?php echo $rack_id; ?>&csrf_token=<?= $_SESSION['csrf_token'] ?>">
<i class="fas fa-fw fa-trash mr-2"></i>Delete
</a>
<?php } ?>
@@ -270,7 +270,7 @@ $num_rows = mysqli_fetch_row(mysqli_query($mysqli, "SELECT FOUND_ROWS()"));
</button>
<div class="dropdown-menu">
<a class="dropdown-item text-danger text-bold confirm-link"
href="post.php?remove_rack_unit=<?php echo $d['unit_id']; ?>">
href="post.php?remove_rack_unit=<?php echo $d['unit_id']; ?>&csrf_token=<?= $_SESSION['csrf_token'] ?>">
<i class="fas fa-fw fa-minus mr-2"></i>Remove
</a>
</div>
@@ -302,7 +302,7 @@ $num_rows = mysqli_fetch_row(mysqli_query($mysqli, "SELECT FOUND_ROWS()"));
<div class="dropdown-menu">
<?php foreach ($unit_devices as $d) { ?>
<a class="dropdown-item text-danger text-bold confirm-link"
href="post.php?remove_rack_unit=<?php echo $d['unit_id']; ?>">
href="post.php?remove_rack_unit=<?php echo $d['unit_id']; ?>&csrf_token=<?= $_SESSION['csrf_token'] ?>">
<i class="fas fa-fw fa-minus mr-2"></i>Remove
</a>
<?php } ?>