From f653752026987f9097c87068e7a66d0e1632b2c1 Mon Sep 17 00:00:00 2001
From: johnnyq <johnny@pittpc.com>
Date: Sun, 1 Mar 2026 22:37:51 -0500
Subject: [PATCH] Recurring Invoice: Add missing CSRF checks and missing
 permissions in POST

---
 .../recurring_invoice_add.php                 |  1 +
 .../recurring_invoice_edit.php                |  1 +
 .../recurring_invoice_export.php              |  1 +
 .../recurring_invoice_note.php                |  5 ++-
 agent/post/recurring_invoice.php              | 44 +++++++++++++++++++
 agent/recurring_invoice.php                   | 12 ++---
 agent/recurring_invoices.php                  |  3 +-
 7 files changed, 59 insertions(+), 8 deletions(-)

diff --git a/agent/modals/recurring_invoice/recurring_invoice_add.php b/agent/modals/recurring_invoice/recurring_invoice_add.php
index 2df4f419..d31dc068 100644
--- a/agent/modals/recurring_invoice/recurring_invoice_add.php
+++ b/agent/modals/recurring_invoice/recurring_invoice_add.php
@@ -14,6 +14,7 @@ ob_start();
     </button>
 </div>
 <form action="post.php" method="post" autocomplete="off">
+    <input type="hidden" name="csrf_token" value="<?= $_SESSION['csrf_token'] ?>">
 
     <div class="modal-body">
 
diff --git a/agent/modals/recurring_invoice/recurring_invoice_edit.php b/agent/modals/recurring_invoice/recurring_invoice_edit.php
index c9156740..e70c7592 100644
--- a/agent/modals/recurring_invoice/recurring_invoice_edit.php
+++ b/agent/modals/recurring_invoice/recurring_invoice_edit.php
@@ -28,6 +28,7 @@ ob_start();
     </button>
 </div>
 <form action="post.php" method="post" autocomplete="off">
+    <input type="hidden" name="csrf_token" value="<?= $_SESSION['csrf_token'] ?>">
     <input type="hidden" name="recurring_invoice_id" value="<?php echo $recurring_invoice_id; ?>">
 
     <div class="modal-body">
diff --git a/agent/modals/recurring_invoice/recurring_invoice_export.php b/agent/modals/recurring_invoice/recurring_invoice_export.php
index e999b96d..6d3e9a53 100644
--- a/agent/modals/recurring_invoice/recurring_invoice_export.php
+++ b/agent/modals/recurring_invoice/recurring_invoice_export.php
@@ -8,6 +8,7 @@
                 </button>
             </div>
             <form action="post.php" method="post" autocomplete="off">
+                <input type="hidden" name="csrf_token" value="<?= $_SESSION['csrf_token'] ?>">
                 <input type="hidden" name="client_id" value="<?php echo $client_id; ?>">
                 <div class="modal-body">
 
diff --git a/agent/modals/recurring_invoice/recurring_invoice_note.php b/agent/modals/recurring_invoice/recurring_invoice_note.php
index c31e49bf..62711f7b 100644
--- a/agent/modals/recurring_invoice/recurring_invoice_note.php
+++ b/agent/modals/recurring_invoice/recurring_invoice_note.php
@@ -8,8 +8,9 @@
         </button>
       </div>
       <form action="post.php" method="post" autocomplete="off">
+        <input type="hidden" name="csrf_token" value="<?= $_SESSION['csrf_token'] ?>">
         <input type="hidden" name="recurring_invoice_id" value="<?php echo $recurring_invoice_id; ?>">
-        <div class="modal-body">  
+        <div class="modal-body">
           <div class="form-group">
             <textarea class="form-control" rows="8" name="note" placeholder="Enter some notes"><?php echo $recurring_invoice_note; ?></textarea>
           </div>
@@ -21,4 +22,4 @@
       </form>
     </div>
   </div>
-</div>
\ No newline at end of file
+</div>
diff --git a/agent/post/recurring_invoice.php b/agent/post/recurring_invoice.php
index 01f18dee..65355f6d 100644
--- a/agent/post/recurring_invoice.php
+++ b/agent/post/recurring_invoice.php
@@ -8,6 +8,10 @@ defined('FROM_POST_HANDLER') || die("Direct file access is not allowed");
 
 if (isset($_POST['add_invoice_recurring'])) {
 
+    validateCSRFToken($_POST['csrf_token']);
+
+    enforceUserPermission('module_sales', 2);
+
     $invoice_id = intval($_POST['invoice_id']);
     $recurring_invoice_frequency = sanitizeInput($_POST['frequency']);
 
@@ -66,6 +70,10 @@ if (isset($_POST['add_invoice_recurring'])) {
 
 if (isset($_POST['add_recurring_invoice'])) {
 
+    validateCSRFToken($_POST['csrf_token']);
+
+    enforceUserPermission('module_sales', 2);
+
     $client_id = intval($_POST['client']);
     $frequency = sanitizeInput($_POST['frequency']);
     $start_date = sanitizeInput($_POST['start_date']);
@@ -99,6 +107,10 @@ if (isset($_POST['add_recurring_invoice'])) {
 
 if (isset($_POST['edit_recurring_invoice'])) {
 
+    validateCSRFToken($_POST['csrf_token']);
+
+    enforceUserPermission('module_sales', 2);
+
     $recurring_invoice_id = intval($_POST['recurring_invoice_id']);
     $frequency = sanitizeInput($_POST['frequency']);
     $next_date = sanitizeInput($_POST['next_date']);
@@ -137,6 +149,10 @@ if (isset($_POST['edit_recurring_invoice'])) {
 
 if (isset($_GET['delete_recurring_invoice'])) {
 
+    validateCSRFToken($_GET['csrf_token']);
+
+    enforceUserPermission('module_sales', 3);
+
     $recurring_invoice_id = intval($_GET['delete_recurring_invoice']);
 
     // Get Recurring Invoice Details and Client ID for Logging
@@ -173,6 +189,10 @@ if (isset($_GET['delete_recurring_invoice'])) {
 
 if (isset($_POST['add_recurring_invoice_item'])) {
 
+    validateCSRFToken($_POST['csrf_token']);
+
+    enforceUserPermission('module_sales', 2);
+
     $recurring_invoice_id = intval($_POST['recurring_invoice_id']);
     $name = sanitizeInput($_POST['name']);
     $description = sanitizeInput($_POST['description']);
@@ -225,6 +245,10 @@ if (isset($_POST['add_recurring_invoice_item'])) {
 
 if (isset($_POST['recurring_invoice_note'])) {
 
+    validateCSRFToken($_POST['csrf_token']);
+
+    enforceUserPermission('module_sales', 2);
+
     $recurring_invoice_id = intval($_POST['recurring_invoice_id']);
     $note = sanitizeInput($_POST['note']);
 
@@ -247,6 +271,10 @@ if (isset($_POST['recurring_invoice_note'])) {
 
 if (isset($_GET['delete_recurring_invoice_item'])) {
 
+    validateCSRFToken($_GET['csrf_token']);
+
+    enforceUserPermission('module_sales', 2);
+
     $item_id = intval($_GET['delete_recurring_invoice_item']);
 
     $sql = mysqli_query($mysqli,"SELECT * FROM invoice_items WHERE item_id = $item_id");
@@ -279,6 +307,10 @@ if (isset($_GET['delete_recurring_invoice_item'])) {
 
 if (isset($_GET['force_recurring'])) {
 
+    validateCSRFToken($_GET['csrf_token']);
+
+    enforceUserPermission('module_sales', 2);
+
     $recurring_invoice_id = intval($_GET['force_recurring']);
 
     $sql_recurring_invoices = mysqli_query($mysqli,"SELECT * FROM recurring_invoices, clients WHERE client_id = recurring_invoice_client_id AND recurring_invoice_id = $recurring_invoice_id");
@@ -440,6 +472,10 @@ if (isset($_GET['force_recurring'])) {
 
 if (isset($_POST['set_recurring_payment'])) {
 
+    validateCSRFToken($_POST['csrf_token']);
+
+    enforceUserPermission('module_sales', 2);
+
     $recurring_invoice_id = intval($_POST['recurring_invoice_id']);
     $saved_payment_id = intval($_POST['saved_payment_id']);
 
@@ -491,6 +527,10 @@ if (isset($_POST['set_recurring_payment'])) {
 
 if (isset($_POST['export_client_recurring_invoice_csv'])) {
 
+    validateCSRFToken($_POST['csrf_token']);
+
+    enforceUserPermission('module_sales');
+
     $client_id = intval($_POST['client_id']);
 
     //get records from database
@@ -539,6 +579,10 @@ if (isset($_POST['export_client_recurring_invoice_csv'])) {
 
 if (isset($_GET['recurring_invoice_email_notify'])) {
 
+    validateCSRFToken($_GET['csrf_token']);
+
+    enforceUserPermission('module_sales', 2);
+
     $recurring_invoice_email_notify = intval($_GET['recurring_invoice_email_notify']);
     $recurring_invoice_id = intval($_GET['recurring_invoice_id']);
 
diff --git a/agent/recurring_invoice.php b/agent/recurring_invoice.php
index 6407976c..2499ed7f 100644
--- a/agent/recurring_invoice.php
+++ b/agent/recurring_invoice.php
@@ -140,15 +140,16 @@ if (isset($_GET['recurring_invoice_id'])) {
 
                 <div class="col-2">
                     <?php if ($recurring_invoice_email_notify) { ?>
-                        <a href="post.php?recurring_invoice_email_notify=0&recurring_invoice_id=<?php echo $recurring_invoice_id; ?>" class="btn btn-primary"><i class="fas fa-fw fa-bell mr-2"></i>Email Notify</a>
+                        <a href="post.php?recurring_invoice_email_notify=0&recurring_invoice_id=<?= $recurring_invoice_id ?>&csrf_token=<?= $_SESSION['csrf_token'] ?>" class="btn btn-primary"><i class="fas fa-fw fa-bell mr-2"></i>Email Notify</a>
                     <?php } else { ?>
-                        <a href="post.php?recurring_invoice_email_notify=1&recurring_invoice_id=<?php echo $recurring_invoice_id; ?>" class="btn btn-outline-danger"><i class="fas fa-fw fa-bell-slash mr-2"></i>Email Notify</a>
+                        <a href="post.php?recurring_invoice_email_notify=1&recurring_invoice_id=<?= $recurring_invoice_id ?>&csrf_token=<?= $_SESSION['csrf_token'] ?>" class="btn btn-outline-danger"><i class="fas fa-fw fa-bell-slash mr-2"></i>Email Notify</a>
                     <?php } ?>
                 </div>
                 <div class="col-3">
                     <?php $sql_saved_payments = mysqli_query($mysqli, "SELECT * FROM client_saved_payment_methods WHERE saved_payment_client_id = $client_id");
                     if (mysqli_num_rows($sql_saved_payments) > 0) { ?>
                         <form class="form" action="post.php" method="post">
+                            <input type="hidden" name="csrf_token" value="<?= $_SESSION['csrf_token'] ?>">
                             <input type="hidden" name="set_recurring_payment" value="1">
                             <input type="hidden" name="recurring_invoice_id" value="<?php echo $recurring_invoice_id; ?>">
                             <div class="input-group">
@@ -182,11 +183,11 @@ if (isset($_GET['recurring_invoice_id'])) {
                                 <i class="fa fa-fw fa-edit text-secondary mr-2"></i>Edit
                             </a>
                             <div class="dropdown-divider"></div>
-                            <a class="dropdown-item" href="post.php?force_recurring=<?php echo $recurring_invoice_id; ?>">
+                            <a class="dropdown-item" href="post.php?force_recurring=<?= $recurring_invoice_id ?>&csrf_token=<?= $_SESSION['csrf_token'] ?>">
                                 <i class="fa fa-fw fa-paper-plane text-secondary mr-2"></i>Force Send
                             </a>
                             <div class="dropdown-divider"></div>
-                            <a class="dropdown-item text-danger confirm-link" href="post.php?delete_recurring_invoice=<?php echo $recurring_invoice_id; ?>">
+                            <a class="dropdown-item text-danger confirm-link" href="post.php?delete_recurring_invoice=<?= $recurring_invoice_id ?>&csrf_token=<?= $_SESSION['csrf_token'] ?>">
                                 <i class="fa fa-fw fa-trash mr-2"></i>Delete
                             </a>
                         </div>
@@ -303,7 +304,7 @@ if (isset($_GET['recurring_invoice_id'])) {
                                                             <i class="fa fa-fw fa-edit mr-2"></i>Edit
                                                         </a>
                                                         <div class="dropdown-divider"></div>
-                                                        <a class="dropdown-item text-danger confirm-link" href="post.php?delete_recurring_invoice_item=<?php echo $item_id; ?>"><i class="fa fa-fw fa-trash mr-2"></i>Delete</a>
+                                                        <a class="dropdown-item text-danger confirm-link" href="post.php?delete_recurring_invoice_item=<?= $item_id ?>&csrf_token=<?= $_SESSION['csrf_token'] ?>"><i class="fa fa-fw fa-trash mr-2"></i>Delete</a>
                                                     </div>
                                                 </div>
                                             </div>
@@ -324,6 +325,7 @@ if (isset($_GET['recurring_invoice_id'])) {
 
                                     <tr class="d-print-none">
                                         <form action="post.php" method="post">
+                                            <input type="hidden" name="csrf_token" value="<?= $_SESSION['csrf_token'] ?>">
                                             <input type="hidden" name="recurring_invoice_id" value="<?php echo $recurring_invoice_id; ?>">
                                             <input type="hidden" name="item_order" value="<?php
                                                 //find largest order number and add 1
diff --git a/agent/recurring_invoices.php b/agent/recurring_invoices.php
index c10cb0ac..8ecdb289 100644
--- a/agent/recurring_invoices.php
+++ b/agent/recurring_invoices.php
@@ -206,6 +206,7 @@ $num_rows = mysqli_fetch_row(mysqli_query($mysqli, "SELECT FOUND_ROWS()"));
                             <?php $sql_saved_payments = mysqli_query($mysqli, "SELECT * FROM client_saved_payment_methods WHERE saved_payment_client_id = $client_id");
                             if (mysqli_num_rows($sql_saved_payments) > 0) { ?>
                                 <form class="form" action="post.php" method="post">
+                                    <input type="hidden" name="csrf_token" value="<?= $_SESSION['csrf_token'] ?>">
                                     <input type="hidden" name="set_recurring_payment" value="1">
                                     <input type="hidden" name="recurring_invoice_id" value="<?php echo $recurring_invoice_id; ?>">
                                     <select class="form-control select2" name="saved_payment_id" onchange="this.form.submit()">
@@ -242,7 +243,7 @@ $num_rows = mysqli_fetch_row(mysqli_query($mysqli, "SELECT FOUND_ROWS()"));
                                     </a>
                                     <?php if ($status !== 'Active') { ?>
                                         <div class="dropdown-divider"></div>
-                                        <a class="dropdown-item text-danger text-bold confirm-link" href="post.php?delete_recurring_invoice=<?php echo $recurring_invoice_id; ?>">
+                                        <a class="dropdown-item text-danger text-bold confirm-link" href="post.php?delete_recurring_invoice=<?= $recurring_invoice_id ?>&csrf_token=<?= $_SESSION['csrf_token'] ?>">
                                             <i class="fas fa-fw fa-trash mr-2"></i>Delete
                                         </a>
                                     <?php } ?>