Recurring Invoice: Add missing CSRF checks and missing permissions in POST

2026-03-11 08:14:52 +00:00 · 2026-03-01 22:37:51 -05:00
parent 4440581f14
commit f653752026
7 changed files with 59 additions and 8 deletions
--- a/agent/modals/recurring_invoice/recurring_invoice_note.php
+++ b/agent/modals/recurring_invoice/recurring_invoice_note.php
@@ -8,8 +8,9 @@
        </button>
      </div>
      <form action="post.php" method="post" autocomplete="off">
+        <input type="hidden" name="csrf_token" value="<?= $_SESSION['csrf_token'] ?>">
        <input type="hidden" name="recurring_invoice_id" value="<?php echo $recurring_invoice_id; ?>">
-        <div class="modal-body">  
+        <div class="modal-body">
          <div class="form-group">
            <textarea class="form-control" rows="8" name="note" placeholder="Enter some notes"><?php echo $recurring_invoice_note; ?></textarea>
          </div>
@@ -21,4 +22,4 @@
      </form>
    </div>
  </div>
-</div>
+</div>