AS1024/itflow
1
0
Fork 0
mirror of https://github.com/itflow-org/itflow synced 2026-03-27 15:55:37 +00:00
Code Issues Packages Projects Releases Wiki Activity

Recurring Invoice: Add missing CSRF checks and missing permissions in POST

Browse Source
This commit is contained in:
johnnyq
2026-03-01 22:37:51 -05:00
parent 4440581f14
commit f653752026
7 changed files with 59 additions and 8 deletions
Download Patch File Download Diff File Expand all files Collapse all files

3
agent/recurring_invoices.php
View File

@@ -206,6 +206,7 @@ $num_rows = mysqli_fetch_row(mysqli_query($mysqli, "SELECT FOUND_ROWS()"));
<?php $sql_saved_payments = mysqli_query($mysqli, "SELECT * FROM client_saved_payment_methods WHERE saved_payment_client_id = $client_id");
if (mysqli_num_rows($sql_saved_payments) > 0) { ?>
<form class="form" action="post.php" method="post">
<input type="hidden" name="csrf_token" value="<?= $_SESSION['csrf_token'] ?>">
<input type="hidden" name="set_recurring_payment" value="1">
<input type="hidden" name="recurring_invoice_id" value="<?php echo $recurring_invoice_id; ?>">
<select class="form-control select2" name="saved_payment_id" onchange="this.form.submit()">
@@ -242,7 +243,7 @@ $num_rows = mysqli_fetch_row(mysqli_query($mysqli, "SELECT FOUND_ROWS()"));
</a>
<?php if ($status !== 'Active') { ?>
<div class="dropdown-divider"></div>
<a class="dropdown-item text-danger text-bold confirm-link" href="post.php?delete_recurring_invoice=<?php echo $recurring_invoice_id; ?>">
<a class="dropdown-item text-danger text-bold confirm-link" href="post.php?delete_recurring_invoice=<?= $recurring_invoice_id ?>&csrf_token=<?= $_SESSION['csrf_token'] ?>">
<i class="fas fa-fw fa-trash mr-2"></i>Delete
</a>
<?php } ?>