AS1024/itflow
1
0
Fork 0
mirror of https://github.com/itflow-org/itflow synced 2026-03-11 08:14:52 +00:00
Code Issues Packages Projects Releases Wiki Activity

Recurring Invoice: Add missing CSRF checks and missing permissions in POST

Browse Source
This commit is contained in:
johnnyq
2026-03-01 22:37:51 -05:00
parent 4440581f14
commit f653752026
7 changed files with 59 additions and 8 deletions
Download Patch File Download Diff File Expand all files Collapse all files

44
agent/post/recurring_invoice.php
View File

@@ -8,6 +8,10 @@ defined('FROM_POST_HANDLER') || die("Direct file access is not allowed");
if (isset($_POST['add_invoice_recurring'])) {
validateCSRFToken($_POST['csrf_token']);
enforceUserPermission('module_sales', 2);
$invoice_id = intval($_POST['invoice_id']);
$recurring_invoice_frequency = sanitizeInput($_POST['frequency']);
@@ -66,6 +70,10 @@ if (isset($_POST['add_invoice_recurring'])) {
if (isset($_POST['add_recurring_invoice'])) {
validateCSRFToken($_POST['csrf_token']);
enforceUserPermission('module_sales', 2);
$client_id = intval($_POST['client']);
$frequency = sanitizeInput($_POST['frequency']);
$start_date = sanitizeInput($_POST['start_date']);
@@ -99,6 +107,10 @@ if (isset($_POST['add_recurring_invoice'])) {
if (isset($_POST['edit_recurring_invoice'])) {
validateCSRFToken($_POST['csrf_token']);
enforceUserPermission('module_sales', 2);
$recurring_invoice_id = intval($_POST['recurring_invoice_id']);
$frequency = sanitizeInput($_POST['frequency']);
$next_date = sanitizeInput($_POST['next_date']);
@@ -137,6 +149,10 @@ if (isset($_POST['edit_recurring_invoice'])) {
if (isset($_GET['delete_recurring_invoice'])) {
validateCSRFToken($_GET['csrf_token']);
enforceUserPermission('module_sales', 3);
$recurring_invoice_id = intval($_GET['delete_recurring_invoice']);
// Get Recurring Invoice Details and Client ID for Logging
@@ -173,6 +189,10 @@ if (isset($_GET['delete_recurring_invoice'])) {
if (isset($_POST['add_recurring_invoice_item'])) {
validateCSRFToken($_POST['csrf_token']);
enforceUserPermission('module_sales', 2);
$recurring_invoice_id = intval($_POST['recurring_invoice_id']);
$name = sanitizeInput($_POST['name']);
$description = sanitizeInput($_POST['description']);
@@ -225,6 +245,10 @@ if (isset($_POST['add_recurring_invoice_item'])) {
if (isset($_POST['recurring_invoice_note'])) {
validateCSRFToken($_POST['csrf_token']);
enforceUserPermission('module_sales', 2);
$recurring_invoice_id = intval($_POST['recurring_invoice_id']);
$note = sanitizeInput($_POST['note']);
@@ -247,6 +271,10 @@ if (isset($_POST['recurring_invoice_note'])) {
if (isset($_GET['delete_recurring_invoice_item'])) {
validateCSRFToken($_GET['csrf_token']);
enforceUserPermission('module_sales', 2);
$item_id = intval($_GET['delete_recurring_invoice_item']);
$sql = mysqli_query($mysqli,"SELECT * FROM invoice_items WHERE item_id = $item_id");
@@ -279,6 +307,10 @@ if (isset($_GET['delete_recurring_invoice_item'])) {
if (isset($_GET['force_recurring'])) {
validateCSRFToken($_GET['csrf_token']);
enforceUserPermission('module_sales', 2);
$recurring_invoice_id = intval($_GET['force_recurring']);
$sql_recurring_invoices = mysqli_query($mysqli,"SELECT * FROM recurring_invoices, clients WHERE client_id = recurring_invoice_client_id AND recurring_invoice_id = $recurring_invoice_id");
@@ -440,6 +472,10 @@ if (isset($_GET['force_recurring'])) {
if (isset($_POST['set_recurring_payment'])) {
validateCSRFToken($_POST['csrf_token']);
enforceUserPermission('module_sales', 2);
$recurring_invoice_id = intval($_POST['recurring_invoice_id']);
$saved_payment_id = intval($_POST['saved_payment_id']);
@@ -491,6 +527,10 @@ if (isset($_POST['set_recurring_payment'])) {
if (isset($_POST['export_client_recurring_invoice_csv'])) {
validateCSRFToken($_POST['csrf_token']);
enforceUserPermission('module_sales');
$client_id = intval($_POST['client_id']);
//get records from database
@@ -539,6 +579,10 @@ if (isset($_POST['export_client_recurring_invoice_csv'])) {
if (isset($_GET['recurring_invoice_email_notify'])) {
validateCSRFToken($_GET['csrf_token']);
enforceUserPermission('module_sales', 2);
$recurring_invoice_email_notify = intval($_GET['recurring_invoice_email_notify']);
$recurring_invoice_id = intval($_GET['recurring_invoice_id']);