Merge pull request #1084 from itflow-org/budget-perms

Budget - CSRF + Perms

Author: johnnyq

budget_edit.php

@@ -2,6 +2,8 @@
 
 require_once "inc_all.php";
 
+enforceUserPermission('module_financial', 2);
+
 // Fetch categories
 $query = "SELECT category_id, category_name FROM categories WHERE category_type ='Expense' AND category_archived_at IS NULL";
 $result = mysqli_query($mysqli, $query);
@@ -52,6 +54,8 @@
     </form>
     <form id="budgetForm" method="POST" action="post.php">
         <input type="hidden" name="year" value="<?php echo $currentYear; ?>">
+        <input type="hidden" name="csrf_token" value="<?php echo $_SESSION['csrf_token'] ?>">
+
         <table class="table table-bordered table-striped">
             <thead>
             <tr>

post/user/budget.php

@@ -5,6 +5,11 @@
  */
 
 if (isset($_POST['save_budget'])) {
+
+    enforceUserPermission('module_financial', 2);
+
+    validateCSRFToken($_POST['csrf_token']);
+
     $budgets = $_POST['budget'];
     $year = intval($_POST['year']);
 
@@ -37,6 +42,11 @@
 }
 
 if (isset($_POST['delete_budget'])) {
+
+    enforceUserPermission('module_financial', 3);
+
+    validateCSRFToken($_POST['csrf_token']);
+
     $year = intval($_POST['year']);
 
     mysqli_query($mysqli,"DELETE FROM budget WHERE budget_year = $year");