diff --git a/client.inc.php b/client.inc.php
index 1908eaa1b5d5172fffaccfbee69f6f17e4871d1e..91956c0d7dfc36e5ffb374f0812cea2f9693c6b9 100644
--- a/client.inc.php
+++ b/client.inc.php
@@ -51,8 +51,17 @@ if($_SESSION['_client']['userID'] && $_SESSION['_client']['key'])
if($thisclient && $thisclient->getId() && $thisclient->isValid()){
$thisclient->refreshSession();
}
+
+/******* CSRF Protectin *************/
+// Enforce CSRF protection for POSTS
+if ($_POST && !$ost->checkCSRFToken()) {
+ @header('Location: index.php');
+ //just incase redirect fails
+ die('Action denied (400)!');
+}
+
/* Client specific defaults */
-define('PAGE_LIMIT',DEFAULT_PAGE_LIMIT);
+define('PAGE_LIMIT', DEFAULT_PAGE_LIMIT);
$nav = new UserNav($thisclient, 'home');
?>
diff --git a/include/ajax.tickets.php b/include/ajax.tickets.php
index f67581005194848131dbaf1c709b8c238c8e404a..b402d6efce3e5914ba2c3cec2471b2d534312cbc 100644
--- a/include/ajax.tickets.php
+++ b/include/ajax.tickets.php
@@ -180,7 +180,7 @@ class TicketsAjaxAPI extends AjaxController {
function acquireLock($tid) {
global $cfg,$thisstaff;
-
+
if(!$tid or !is_numeric($tid) or !$thisstaff or !$cfg)
return 0;
diff --git a/include/class.csrf.php b/include/class.csrf.php
new file mode 100644
index 0000000000000000000000000000000000000000..bfa792901167b58892e88e805728e9d72a337df7
--- /dev/null
+++ b/include/class.csrf.php
@@ -0,0 +1,93 @@
+<?php
+/*********************************************************************
+ class.csrf.php
+
+ Provides mechanisms to protect against cross-site request forgery
+ attacks. This is accomplished by using a token that is not stored in a
+ session, but required to make changes to the system.
+
+ This can be accomplished by emitting a hidden field in a form, or
+ sending a separate header (X-CSRFToken) when forms are submitted (e.g Ajax).
+
+ This technique is based on the protection mechanism in the Django
+ project, detailed at and thanks to
+ https://docs.djangoproject.com/en/dev/ref/contrib/csrf/.
+
+ * TIMEOUT
+ Token can be expired after X seconds of inactivity (timeout) independent of the session.
+
+
+ Jared Hancock
+ Copyright (c) 2006-2012 osTicket
+ http://www.osticket.com
+
+ Released under the GNU General Public License WITHOUT ANY WARRANTY.
+ See LICENSE.TXT for details.
+
+ vim: expandtab sw=4 ts=4 sts=4:
+**********************************************************************/
+
+Class CSRF {
+
+ var $name;
+ var $timeout;
+
+ var $csrf;
+
+ function CSRF($name='__CSRFToken__', $timeout=0) {
+
+ $this->name = $name;
+ $this->timeout = $timeout;
+ $this->csrf = &$_SESSION['csrf'];
+ }
+
+ function reset() {
+ $this->csrf = array();
+ }
+
+ function isExpired() {
+ return ($this->timeout && (time()-$this->csrf['time'])>$this->timeout);
+ }
+
+ function getTokenName() {
+ return $this->name;
+ }
+
+ function getToken($len=32) {
+
+ if(!$this->csrf['token'] || $this->isExpired()) {
+
+ $len = $len>8?$len:32;
+ $r = '';
+ for ($i = 0; $i <= $len; $i++)
+ $r .= chr(mt_rand(0, 255));
+
+ $this->csrf['token'] = base64_encode(sha1(session_id().$r.SECRET_SALT));
+ $this->csrf['time'] = time();
+ } else {
+ //Reset the timer
+ $this->csrf['time'] = time();
+ }
+
+ return $this->csrf['token'];
+ }
+
+ function validateToken($token) {
+ return ($token && trim($token)==$this->getToken() && !$this->isExpired());
+ }
+
+ function getFormInput($name='') {
+ if(!$name) $name = $this->name;
+
+ return sprintf('<input type="hidden" name="%s" value="%s" />', $name, $this->getToken());
+ }
+}
+
+/* global function to add hidden token input with to forms */
+function csrf_token() {
+ global $ost;
+
+ if($ost && $ost->getCSRF())
+ echo $ost->getCSRFFormInput();
+}
+?>
diff --git a/include/class.osticket.php b/include/class.osticket.php
index 66938cc7c4cfba0db80439e1de5e9c010923116e..5f75d0fd1fe6ac28feedeea227ef3ad6dc3e7429 100644
--- a/include/class.osticket.php
+++ b/include/class.osticket.php
@@ -19,6 +19,8 @@
**********************************************************************/
require_once(INCLUDE_DIR.'class.config.php'); //Config helper
+require_once(INCLUDE_DIR.'class.csrf.php'); //CSRF token class.
+
define('LOG_WARN',LOG_WARNING);
class osTicket {
@@ -32,17 +34,19 @@ class osTicket {
var $config;
var $session;
+ var $csrf;
function osTicket($cfgId) {
+
$this->config = Config::lookup($cfgId);
//DB based session storage was added starting with v1.7
- // which does NOT have DB Version
if($this->config && !$this->getConfig()->getDBVersion())
$this->session = osTicketSession::start(SESSION_TTL); // start DB based session
else
session_start();
+ $this->csrf = new CSRF('__CSRFToken__');
}
function isSystemOnline() {
@@ -74,6 +78,38 @@ class osTicket {
return THIS_VERSION;
}
+ function getCSRF(){
+ return $this->csrf;
+ }
+
+ function getCSRFToken() {
+ return $this->getCSRF()->getToken();
+ }
+
+ function getCSRFFormInput() {
+ return $this->getCSRF()->getFormInput();
+ }
+
+ function validateCSRFToken($token) {
+ return ($token && $this->getCSRF()->validateToken($token));
+ }
+
+ function checkCSRFToken($name='') {
+
+ $name = $name?$name:$this->getCSRF()->getTokenName();
+ if(isset($_POST[$name]) && $this->validateCSRFToken($_POST[$name]))
+ return true;
+
+ if(isset($_SERVER['HTTP_X_CSRFTOKEN']) && $this->validateCSRFToken($_SERVER['HTTP_X_CSRFTOKEN']))
+ return true;
+
+ $msg=sprintf('Invalid CSRF token [%s] on %s',
+ ($_POST[$name].''.$_SERVER['HTTP_X_CSRFTOKEN']), THISPAGE);
+ $this->logWarning('Invalid CSRF Token '.$name, $msg);
+
+ return false;
+ }
+
function addExtraHeader($header) {
$this->headers[md5($header)] = $header;
}
diff --git a/include/class.team.php b/include/class.team.php
index c9f88a23147f1abfb81b434c2e9e35afc5eb67d0..cdf4cffcd3148fab082b2dd69f24733481aaeca0 100644
--- a/include/class.team.php
+++ b/include/class.team.php
@@ -133,7 +133,9 @@ class Team {
if($vars['remove']) {
$sql='DELETE FROM '.TEAM_MEMBER_TABLE
.' WHERE team_id='.db_input($this->getId())
- .' AND staff_id IN('.implode(',',$_POST['remove']).')';
+ .' AND staff_id IN ('
+ .implode(',', array_map('db_input', $_POST['remove']))
+ .')';
db_query($sql);
}
diff --git a/include/client/login.inc.php b/include/client/login.inc.php
index 0ff10e3f41ea37e5f956b1b7add8877548e3f6b5..e1e52e9d454e7a1a4f62fdfec39c5625e496c5d2 100644
--- a/include/client/login.inc.php
+++ b/include/client/login.inc.php
@@ -7,6 +7,7 @@ $ticketid=Format::input($_POST['lticket']?$_POST['lticket']:$_GET['t']);
<h1>Check Ticket Status</h1>
<p>To view the status of a ticket, provide us with the login details below.</p>
<form action="login.php" method="post" id="clientLogin">
+ <?php csrf_token(); ?>
<strong>Authentication Required</strong>
<div>
<label for="email">E-Mail Address:</label>
diff --git a/include/client/open.inc.php b/include/client/open.inc.php
index 9c2a82b4706e1fc83253471eea8224e47cd7b382..b85c1e337eac2894c2246a94c623cea6717b42d2 100644
--- a/include/client/open.inc.php
+++ b/include/client/open.inc.php
@@ -13,6 +13,7 @@ $info=($_POST && $errors)?Format::htmlchars($_POST):$info;
<h1>Open a New Ticket</h1>
<p>Please fill in the form below to open a new ticket.</p>
<form id="ticketForm" method="post" action="open.php" enctype="multipart/form-data">
+ <?php csrf_token(); ?>
<input type="hidden" name="a" value="open">
<div>
<label for="name" class="required">Full Name:</label>
diff --git a/include/client/view.inc.php b/include/client/view.inc.php
index debddc4ed4713aeb3dec50b48e1fcb5bfe2f9ccc..5aba461fc8f8a129138ed406d1319bb66d1ca9cb 100644
--- a/include/client/view.inc.php
+++ b/include/client/view.inc.php
@@ -91,6 +91,7 @@ if($ticket->getThreadCount() && ($thread=$ticket->getClientThread())) {
<div id="msg_warning"><?php echo $warn; ?></div>
<?php } ?>
<form id="reply" action="tickets.php?id=<?php echo $ticket->getExtId(); ?>#reply" name="reply" method="post" enctype="multipart/form-data">
+ <?php csrf_token(); ?>
<h2>Post a Reply</h2>
<input type="hidden" name="id" value="<?php echo $ticket->getExtId(); ?>">
<input type="hidden" name="a" value="reply">
diff --git a/include/staff/apikey.inc.php b/include/staff/apikey.inc.php
index 7bcac1cb03e257feb855fbf0436769b8b3a3650e..ff5592b46fd57b374bb0a2d0825f99d3156bceef 100644
--- a/include/staff/apikey.inc.php
+++ b/include/staff/apikey.inc.php
@@ -20,6 +20,7 @@ if($api && $_REQUEST['a']!='add'){
$info=Format::htmlchars(($errors && $_POST)?$_POST:$info);
?>
<form action="apikeys.php?<?php echo $qstr; ?>" method="post" id="save">
+ <?php csrf_token(); ?>
<input type="hidden" name="do" value="<?php echo $action; ?>">
<input type="hidden" name="a" value="<?php echo Format::htmlchars($_REQUEST['a']); ?>">
<input type="hidden" name="id" value="<?php echo $info['id']; ?>">
diff --git a/include/staff/apikeys.inc.php b/include/staff/apikeys.inc.php
index 3deccb941222f8d771eb120ea90ab7e27557203c..fc0d418e76606ee7dc64f78fde73db932133ac79 100644
--- a/include/staff/apikeys.inc.php
+++ b/include/staff/apikeys.inc.php
@@ -46,6 +46,7 @@ else
<b><a href="apikeys.php?a=add" class="Icon newapi">Add New API Key</a></b></div>
<div class="clear"></div>
<form action="apikeys.php" method="POST" name="keys" onSubmit="return checkbox_checker(this,1,0);">
+ <?php csrf_token(); ?>
<input type="hidden" name="do" value="mass_process" >
<table class="list" border="0" cellspacing="1" cellpadding="0" width="940">
<caption><?php echo $showing; ?></caption>
diff --git a/include/staff/banlist.inc.php b/include/staff/banlist.inc.php
index 430b51f4835bbf7038941109621774b409485b2e..0b61d1e8b779edaf48c448c82eb38c3d1ce3deed 100644
--- a/include/staff/banlist.inc.php
+++ b/include/staff/banlist.inc.php
@@ -72,6 +72,7 @@ if($search)
?>
<form action="banlist.php" method="POST" name="banlist" onSubmit="return checkbox_checker(this,1,0);">
+ <?php csrf_token(); ?>
<input type="hidden" name="do" value="mass_process" >
<table class="list" border="0" cellspacing="1" cellpadding="0" width="940">
<caption><?php echo $showing; ?></caption>
diff --git a/include/staff/banrule.inc.php b/include/staff/banrule.inc.php
index 0560b4a4d6268961220dad69de5d7b73617afec2..1f1314736f6943a6563f6ac1b9761fa2fbd98fea 100644
--- a/include/staff/banrule.inc.php
+++ b/include/staff/banrule.inc.php
@@ -20,6 +20,7 @@ if($rule && $_REQUEST['a']!='add'){
$info=Format::htmlchars(($errors && $_POST)?$_POST:$info);
?>
<form action="banlist.php?<?php echo $qstr; ?>" method="post" id="save">
+ <?php csrf_token(); ?>
<input type="hidden" name="do" value="<?php echo $action; ?>">
<input type="hidden" name="a" value="<?php echo Format::htmlchars($_REQUEST['a']); ?>">
<input type="hidden" name="id" value="<?php echo $info['id']; ?>">
diff --git a/include/staff/cannedreplies.inc.php b/include/staff/cannedreplies.inc.php
index b9e50863072c57bd2e2ca8891641c297a80c67cf..2f19cbd194a1ee7570fcda67eca30f295bc1d2fa 100644
--- a/include/staff/cannedreplies.inc.php
+++ b/include/staff/cannedreplies.inc.php
@@ -53,6 +53,7 @@ else
<b><a href="canned.php?a=add" class="Icon newReply">Add New Reply</a></b></div>
<div class="clear"></div>
<form action="canned.php" method="POST" name="canned" onSubmit="return checkbox_checker(this,1,0);">
+ <?php csrf_token(); ?>
<input type="hidden" name="do" value="mass_process" >
<table class="list" border="0" cellspacing="1" cellpadding="0" width="940">
<caption><?php echo $showing; ?></caption>
diff --git a/include/staff/cannedreply.inc.php b/include/staff/cannedreply.inc.php
index 8739e0771fda6d9aca32d772626adb344bb6ad81..f18b114a2225fde48d9bddbc73ff3ec93e5a3fd4 100644
--- a/include/staff/cannedreply.inc.php
+++ b/include/staff/cannedreply.inc.php
@@ -20,6 +20,7 @@ $info=Format::htmlchars(($errors && $_POST)?$_POST:$info);
?>
<form action="canned.php?<?php echo $qstr; ?>" method="post" id="save" enctype="multipart/form-data">
+ <?php csrf_token(); ?>
<input type="hidden" name="do" value="<?php echo $action; ?>">
<input type="hidden" name="a" value="<?php echo Format::htmlchars($_REQUEST['a']); ?>">
<input type="hidden" name="id" value="<?php echo $info['id']; ?>">
diff --git a/include/staff/categories.inc.php b/include/staff/categories.inc.php
index 9e90869c0d24acd79eabced4a1eed76c133681cc..df750fe795f680963663edd7282d0bfa66e316ef 100644
--- a/include/staff/categories.inc.php
+++ b/include/staff/categories.inc.php
@@ -47,6 +47,7 @@ else
<b><a href="categories.php?a=add" class="Icon newCategory">Add New Category</a></b></div>
<div class="clear"></div>
<form action="categories.php" method="POST" name="cat" onSubmit="return checkbox_checker(this,1,0);">
+ <?php csrf_token(); ?>
<input type="hidden" name="do" value="mass_process" >
<table class="list" border="0" cellspacing="1" cellpadding="0" width="940">
<caption><?php echo $showing; ?></caption>
diff --git a/include/staff/category.inc.php b/include/staff/category.inc.php
index 8272d7da13e24f1531b577fd051dccbfc487b108..c682219b0331e089a22a6b38054dd83997a38962 100644
--- a/include/staff/category.inc.php
+++ b/include/staff/category.inc.php
@@ -19,6 +19,7 @@ $info=Format::htmlchars(($errors && $_POST)?$_POST:$info);
?>
<form action="categories.php?<?php echo $qstr; ?>" method="post" id="save">
+ <?php csrf_token(); ?>
<input type="hidden" name="do" value="<?php echo $action; ?>">
<input type="hidden" name="a" value="<?php echo Format::htmlchars($_REQUEST['a']); ?>">
<input type="hidden" name="id" value="<?php echo $info['id']; ?>">
diff --git a/include/staff/department.inc.php b/include/staff/department.inc.php
index eb3a2e3e6c17f7bde898acefb38e5fcb5aebd2e9..2c1ff86ca75f3b6467e44fa3b86fe98652a808e7 100644
--- a/include/staff/department.inc.php
+++ b/include/staff/department.inc.php
@@ -24,6 +24,7 @@ if($dept && $_REQUEST['a']!='add') {
$info=Format::htmlchars(($errors && $_POST)?$_POST:$info);
?>
<form action="departments.php?<?php echo $qstr; ?>" method="post" id="save">
+ <?php csrf_token(); ?>
<input type="hidden" name="do" value="<?php echo $action; ?>">
<input type="hidden" name="a" value="<?php echo Format::htmlchars($_REQUEST['a']); ?>">
<input type="hidden" name="id" value="<?php echo $info['id']; ?>">
diff --git a/include/staff/departments.inc.php b/include/staff/departments.inc.php
index 71b702a0676cff5f6824c933fc458882fff9e991..a46115f422b87abc4446cd4f301e171aa92e539d 100644
--- a/include/staff/departments.inc.php
+++ b/include/staff/departments.inc.php
@@ -47,6 +47,7 @@ else
<b><a href="departments.php?a=add" class="Icon newDepartment">Add New Department</a></b></div>
<div class="clear"></div>
<form action="departments.php" method="POST" name="depts" onSubmit="return checkbox_checker(this,1,0);">
+ <?php csrf_token(); ?>
<input type="hidden" name="do" value="mass_process" >
<table class="list" border="0" cellspacing="1" cellpadding="0" width="940">
<caption><?php echo $showing; ?></caption>
diff --git a/include/staff/email.inc.php b/include/staff/email.inc.php
index 2fd2b8857494c64c061524a5bd294e4433299ee4..e16b350bdbd3a58f64862da9de74b4c835e9dc23 100644
--- a/include/staff/email.inc.php
+++ b/include/staff/email.inc.php
@@ -31,6 +31,7 @@ $info=Format::htmlchars(($errors && $_POST)?$_POST:$info);
?>
<h2>Email Address</h2>
<form action="emails.php?<?php echo $qstr; ?>" method="post" id="save">
+ <?php csrf_token(); ?>
<input type="hidden" name="do" value="<?php echo $action; ?>">
<input type="hidden" name="a" value="<?php echo Format::htmlchars($_REQUEST['a']); ?>">
<input type="hidden" name="id" value="<?php echo $info['id']; ?>">
diff --git a/include/staff/emails.inc.php b/include/staff/emails.inc.php
index 8d5f221177051e484fcaff4457c5f9f60bffbc99..4ab93d22105e3d42ba11efe6321a13d912548ee2 100644
--- a/include/staff/emails.inc.php
+++ b/include/staff/emails.inc.php
@@ -49,6 +49,7 @@ else
<b><a href="emails.php?a=add" class="Icon newEmail">Add New Email</a></b></div>
<div class="clear"></div>
<form action="emails.php" method="POST" name="emails" onSubmit="return checkbox_checker(this,1,0);">
+ <?php csrf_token(); ?>
<input type="hidden" name="do" value="mass_process" >
<table class="list" border="0" cellspacing="1" cellpadding="0" width="940">
<caption><?php echo $showing; ?></caption>
diff --git a/include/staff/filter.inc.php b/include/staff/filter.inc.php
index 6d0069641f84533937164097d9f9ecd89c8708a7..c2aad0bcf4456d5bade4fa323a4ba3c991c39929 100644
--- a/include/staff/filter.inc.php
+++ b/include/staff/filter.inc.php
@@ -23,6 +23,7 @@ if($filter && $_REQUEST['a']!='add'){
$info=Format::htmlchars(($errors && $_POST)?$_POST:$info);
?>
<form action="filters.php?<?php echo $qstr; ?>" method="post" id="save">
+ <?php csrf_token(); ?>
<input type="hidden" name="do" value="<?php echo $action; ?>">
<input type="hidden" name="a" value="<?php echo Format::htmlchars($_REQUEST['a']); ?>">
<input type="hidden" name="id" value="<?php echo $info['id']; ?>">
diff --git a/include/staff/filters.inc.php b/include/staff/filters.inc.php
index b5534bdde77a12ffe88a8f2362046c5d2e64fce2..7f3aab393f56cb3b1eb3f8dc3da0113204d35e41 100644
--- a/include/staff/filters.inc.php
+++ b/include/staff/filters.inc.php
@@ -50,6 +50,7 @@ else
<b><a href="filters.php?a=add" class="Icon newEmailFilter">Add New Filter</a></b></div>
<div class="clear"></div>
<form action="filters.php" method="POST" name="filters" onSubmit="return checkbox_checker(this,1,0);">
+ <?php csrf_token(); ?>
<input type="hidden" name="do" value="mass_process" >
<table class="list" border="0" cellspacing="1" cellpadding="0" width="940">
<caption><?php echo $showing; ?></caption>
diff --git a/include/staff/group.inc.php b/include/staff/group.inc.php
index 83220475de4bf388cd2368774a9cccaba1022896..a442c3ce02e91c249636d4c762cd9a9ed54b6c89 100644
--- a/include/staff/group.inc.php
+++ b/include/staff/group.inc.php
@@ -21,6 +21,7 @@ if($group && $_REQUEST['a']!='add'){
$info=Format::htmlchars(($errors && $_POST)?$_POST:$info);
?>
<form action="groups.php?<?php echo $qstr; ?>" method="post" id="save" name="group">
+ <?php csrf_token(); ?>
<input type="hidden" name="do" value="<?php echo $action; ?>">
<input type="hidden" name="a" value="<?php echo Format::htmlchars($_REQUEST['a']); ?>">
<input type="hidden" name="id" value="<?php echo $info['id']; ?>">
diff --git a/include/staff/groups.inc.php b/include/staff/groups.inc.php
index 5c8393e994fae65d38599c52ed02fa7e991226cf..ccb16257bf74660ae43d4a6abad2013984323221 100644
--- a/include/staff/groups.inc.php
+++ b/include/staff/groups.inc.php
@@ -46,6 +46,7 @@ else
<b><a href="groups.php?a=add" class="Icon newgroup">Add New Group</a></b></div>
<div class="clear"></div>
<form action="groups.php" method="POST" name="groups" onSubmit="return checkbox_checker(this,1,0);">
+ <?php csrf_token(); ?>
<input type="hidden" name="do" value="mass_process" >
<table class="list" border="0" cellspacing="1" cellpadding="0" width="940">
<caption><?php echo $showing; ?></caption>
diff --git a/include/staff/header.inc.php b/include/staff/header.inc.php
index 090397036d7bb05a46e9f405bf530a5781bbdb26..251de2b4f8ec4cdd8822668b806bde81b6a7e57e 100644
--- a/include/staff/header.inc.php
+++ b/include/staff/header.inc.php
@@ -36,7 +36,8 @@
<?php }else{ ?>
| <a href="index.php">Staff Panel</a>
<?php } ?>
- | <a href="profile.php">My Preferences</a> | <a href="logout.php">Log Out</a>
+ | <a href="profile.php">My Preferences</a>
+ | <a href="logout.php?auth=<?php echo md5($ost->getCSRFToken().SECRET_SALT.session_id()); ?>">Log Out</a>
</p>
</div>
<ul id="nav">
diff --git a/include/staff/helptopic.inc.php b/include/staff/helptopic.inc.php
index c0fdcd34010266a802bbffdd3f31c741c36f0b9a..6c7c94211ec855b5b7c4111c7382b15f93883239 100644
--- a/include/staff/helptopic.inc.php
+++ b/include/staff/helptopic.inc.php
@@ -20,6 +20,7 @@ if($topic && $_REQUEST['a']!='add'){
$info=Format::htmlchars(($errors && $_POST)?$_POST:$info);
?>
<form action="helptopics.php?<?php echo $qstr; ?>" method="post" id="save">
+ <?php csrf_token(); ?>
<input type="hidden" name="do" value="<?php echo $action; ?>">
<input type="hidden" name="a" value="<?php echo Format::htmlchars($_REQUEST['a']); ?>">
<input type="hidden" name="id" value="<?php echo $info['id']; ?>">
diff --git a/include/staff/helptopics.inc.php b/include/staff/helptopics.inc.php
index b3d58c777517753e02b41d1aaa703ed6e5500c01..9e5482ff9b1197a14aa732ee161f3ff5e392724c 100644
--- a/include/staff/helptopics.inc.php
+++ b/include/staff/helptopics.inc.php
@@ -50,6 +50,7 @@ else
<b><a href="helptopics.php?a=add" class="Icon newHelpTopic">Add New Help Topic</a></b></div>
<div class="clear"></div>
<form action="helptopics.php" method="POST" name="topics" onSubmit="return checkbox_checker(this,1,0);">
+ <?php csrf_token(); ?>
<input type="hidden" name="do" value="mass_process" >
<table class="list" border="0" cellspacing="1" cellpadding="0" width="940">
<caption><?php echo $showing; ?></caption>
diff --git a/include/staff/login.tpl.php b/include/staff/login.tpl.php
index 4f2364e1ae9fa21a0e79135ae5580fcaffdbcb63..2d8a41f650601c2ec8396ecb89a8ea5ac90a4790 100644
--- a/include/staff/login.tpl.php
+++ b/include/staff/login.tpl.php
@@ -15,6 +15,7 @@
<h1 id="logo"><a href="index.php">osTicket Staff Control Panel</a></h1>
<h3><?php echo Format::htmlchars($msg); ?></h3>
<form action="login.php" method="post">
+ <?php csrf_token(); ?>
<input type="hidden" name="d"o value="scplogin">
<fieldset>
<input type="text" name="username" id="name" value="" placeholder="username" autocorrect="off" autocapitalize="off">
diff --git a/include/staff/preference.inc.php b/include/staff/preference.inc.php
deleted file mode 100644
index 6eb27354b0d4cd019964b460b58a3c4b0db1110e..0000000000000000000000000000000000000000
--- a/include/staff/preference.inc.php
+++ /dev/null
@@ -1,498 +0,0 @@
-<?php
-if(!defined('OSTADMININC') || !$thisstaff->isAdmin()) die('Access Denied');
-
-//Get the config info.
-$config=($errors && $_POST)?Format::input($_POST):Format::htmlchars($cfg->getConfigInfo());
-//Basic checks for warnings...
-$warn=array();
-if($config['allow_attachments'] && !$config['upload_dir']) {
- $errors['allow_attachments']='You need to setup upload dir.';
-}else{
- if(!$config['allow_attachments'] && $config['allow_email_attachments'])
- $warn['allow_email_attachments']='*Attachments Disabled.';
- if(!$config['allow_attachments'] && ($config['allow_online_attachments'] or $config['allow_online_attachments_onlogin']))
- $warn['allow_online_attachments']='<br>*Attachments Disabled.';
-}
-
-if(!$errors['enable_captcha'] && $config['enable_captcha'] && !extension_loaded('gd'))
- $errors['enable_captcha']='GD required for captcha to work';
-
-
-//Not showing err on post to avoid alarming the user...after an update.
-if(!$errors['err'] &&!$msg && $warn )
- $errors['err']='Possible errors detected, please check the warnings below';
-
-$gmtime=Misc::gmtime();
-$depts= db_query('SELECT dept_id,dept_name FROM '.DEPT_TABLE.' WHERE ispublic=1');
-$templates=db_query('SELECT tpl_id,name FROM '.EMAIL_TEMPLATE_TABLE.' WHERE cfg_id='.db_input($cfg->getId()));
-?>
-<div class="msg">System Preferences and Settings (v<?php echo $config['ostversion']; ?>)</div>
-<table width="100%" border="0" cellspacing=0 cellpadding=0>
- <form action="admin.php?t=pref" method="post">
- <input type="hidden" name="t" value="pref">
- <tr><td>
- <table width="100%" border="0" cellspacing=0 cellpadding=2 class="tform">
- <tr class="header" ><td colspan=2>General Settings</td></tr>
- <tr class="subheader">
- <td colspan=2">Offline mode will disable client interface and <b>only</b> allow <b>super admins</b> to login to Staff Control Panel</td>
- </tr>
- <tr><th><b>Helpdesk Status</b></th>
- <td>
- <input type="radio" name="isonline" value="1" <?php echo $config['isonline']?'checked':''; ?> /><b>Online</b> (Active)
- <input type="radio" name="isonline" value="0" <?php echo !$config['isonline']?'checked':''; ?> /><b>Offline</b> (Disabled)
- <font class="warn"> <?php echo $config['isoffline']?'osTicket offline':''; ?></font>
- </td>
- </tr>
- <tr><th>Helpdesk URL:</th>
- <td>
- <input type="text" size="40" name="helpdesk_url" value="<?php echo $config['helpdesk_url']; ?>">
- <font class="error">* <?php echo $errors['helpdesk_url']; ?></font></td>
- </tr>
- <tr><th>Helpdesk Name/Title:</th>
- <td><input type="text" size="40" name="helpdesk_title" value="<?php echo $config['helpdesk_title']; ?>"> </td>
- </tr>
- <tr><th>Default Email Templates:</th>
- <td>
- <select name="default_template_id">
- <option value=0>Select Default Template</option>
- <?php
- while (list($id,$name) = db_fetch_row($templates)){
- $selected = ($config['default_template_id']==$id)?'SELECTED':''; ?>
- <option value="<?php echo $id; ?>"<?php echo $selected; ?>><?php echo $name; ?></option>
- <?php
- } ?>
- </select> <font class="error">* <?php echo $errors['default_template_id']; ?></font>
- </td>
- </tr>
- <tr><th>Default Department:</th>
- <td>
- <select name="default_dept_id">
- <option value=0>Select Default Dept</option>
- <?php
- while (list($id,$name) = db_fetch_row($depts)){
- $selected = ($config['default_dept_id']==$id)?'SELECTED':''; ?>
- <option value="<?php echo $id; ?>"<?php echo $selected; ?>><?php echo $name; ?> Dept</option>
- <?php
- } ?>
- </select> <font class="error">* <?php echo $errors['default_dept_id']; ?></font>
- </td>
- </tr>
- <tr><th>Default Page Size:</th>
- <td>
- <select name="max_page_size">
- <?php
- $pagelimit=$config['max_page_size'];
- for ($i = 5; $i <= 50; $i += 5) {
- ?>
- <option <?php echo $config['max_page_size'] == $i ? 'SELECTED':''; ?> value="<?php echo $i; ?>"><?php echo $i; ?></option>
- <?php
- } ?>
- </select>
- </td>
- </tr>
- <tr><th>System Log Level:</th>
- <td>
- <select name="log_level">
- <option value=0 <?php echo $config['log_level'] == 0 ? 'selected="selected"':''; ?>>None (Disable Logger)</option>
- <option value=3 <?php echo $config['log_level'] == 3 ? 'selected="selected"':''; ?>> DEBUG</option>
- <option value=2 <?php echo $config['log_level'] == 2 ? 'selected="selected"':''; ?>> WARN</option>
- <option value=1 <?php echo $config['log_level'] == 1 ? 'selected="selected"':''; ?>> ERROR</option>
- </select>
- Purge logs after
- <select name="log_graceperiod">
- <option value=0 selected> None (Disable)</option>
- <?php
- for ($i = 1; $i <=12; $i++) {
- ?>
- <option <?php echo $config['log_graceperiod'] == $i ? 'SELECTED':''; ?> value="<?php echo $i; ?>"><?php echo $i; ?> <?php echo ($i>1)?'Months':'Month'; ?></option>
- <?php
- } ?>
- </select>
- </td>
- </tr>
- <tr><th>Staff Excessive Logins:</th>
- <td>
- <select name="staff_max_logins">
- <?php
- for ($i = 1; $i <= 10; $i++) {
- echo sprintf('<option value="%d" %s>%d</option>',$i,(($config['staff_max_logins']==$i)?'selected="selected"':''),$i);
- }
- ?>
- </select> attempt(s) allowed
- before a
- <select name="staff_login_timeout">
- <?php
- for ($i = 1; $i <= 10; $i++) {
- echo sprintf('<option value="%d" %s>%d</option>',$i,(($config['staff_login_timeout']==$i)?'selected="selected"':''),$i);
- }
- ?>
- </select> min. timeout (penalty in minutes)
- </td>
- </tr>
- <tr><th>Staff Session Timeout:</th>
- <td>
- <input type="text" name="staff_session_timeout" size=6 value="<?php echo $config['staff_session_timeout']; ?>">
- (<i>Staff's max Idle time in minutes. Enter 0 to disable timeout</i>)
- </td>
- </tr>
- <tr><th>Bind Staff Session to IP:</th>
- <td>
- <input type="checkbox" name="staff_ip_binding" <?php echo $config['staff_ip_binding']?'checked':''; ?>>
- Bind staff's session to login IP.
- </td>
- </tr>
-
- <tr><th>Client Excessive Logins:</th>
- <td>
- <select name="client_max_logins">
- <?php
- for ($i = 1; $i <= 10; $i++) {
- echo sprintf('<option value="%d" %s>%d</option>',$i,(($config['client_max_logins']==$i)?'selected="selected"':''),$i);
- }
-
- ?>
- </select> attempt(s) allowed
- before a
- <select name="client_login_timeout">
- <?php
- for ($i = 1; $i <= 10; $i++) {
- echo sprintf('<option value="%d" %s>%d</option>',$i,(($config['client_login_timeout']==$i)?'selected="selected"':''),$i);
- }
- ?>
- </select> min. timeout (penalty in minutes)
- </td>
- </tr>
-
- <tr><th>Client Session Timeout:</th>
- <td>
- <input type="text" name="client_session_timeout" size=6 value="<?php echo $config['client_session_timeout']; ?>">
- (<i>Client's max Idle time in minutes. Enter 0 to disable timeout</i>)
- </td>
- </tr>
- <tr><th>Clickable URLs:</th>
- <td>
- <input type="checkbox" name="clickable_urls" <?php echo $config['clickable_urls']?'checked':''; ?>>
- Make URLs clickable
- </td>
- </tr>
- <tr><th>Enable Auto Cron:</th>
- <td>
- <input type="checkbox" name="enable_auto_cron" <?php echo $config['enable_auto_cron']?'checked':''; ?>>
- Enable cron call on staff's activity
- </td>
- </tr>
- </table>
-
- <table width="100%" border="0" cellspacing=0 cellpadding=2 class="tform">
- <tr class="header"><td colspan=2>Date & Time</td></tr>
- <tr class="subheader">
- <td colspan=2>Please refer to <a href="http://php.net/date" target="_blank">PHP Manual</a> for supported parameters.</td>
- </tr>
- <tr><th>Time Format:</th>
- <td>
- <input type="text" name="time_format" value="<?php echo $config['time_format']; ?>">
- <font class="error">* <?php echo $errors['time_format']; ?></font>
- <i><?php echo Format::date($config['time_format'],$gmtime,$config['timezone_offset'],$config['enable_daylight_saving']); ?></i></td>
- </tr>
- <tr><th>Date Format:</th>
- <td><input type="text" name="date_format" value="<?php echo $config['date_format']; ?>">
- <font class="error">* <?php echo $errors['date_format']; ?></font>
- <i><?php echo Format::date($config['date_format'],$gmtime,$config['timezone_offset'],$config['enable_daylight_saving']); ?></i>
- </td>
- </tr>
- <tr><th>Date & Time Format:</th>
- <td><input type="text" name="datetime_format" value="<?php echo $config['datetime_format']; ?>">
- <font class="error">* <?php echo $errors['datetime_format']; ?></font>
- <i><?php echo Format::date($config['datetime_format'],$gmtime,$config['timezone_offset'],$config['enable_daylight_saving']); ?></i>
- </td>
- </tr>
- <tr><th>Day, Date & Time Format:</th>
- <td><input type="text" name="daydatetime_format" value="<?php echo $config['daydatetime_format']; ?>">
- <font class="error">* <?php echo $errors['daydatetime_format']; ?></font>
- <i><?php echo Format::date($config['daydatetime_format'],$gmtime,$config['timezone_offset'],$config['enable_daylight_saving']); ?></i>
- </td>
- </tr>
- <tr><th>Default Timezone:</th>
- <td>
- <select name="timezone_offset">
- <?php
- $gmoffset = date("Z") / 3600; //Server's offset.
- echo"<option value=\"$gmoffset\">Server Time (GMT $gmoffset:00)</option>"; //Default if all fails.
- $timezones= db_query('SELECT offset,timezone FROM '.TIMEZONE_TABLE);
- while (list($offset,$tz) = db_fetch_row($timezones)){
- $selected = ($config['timezone_offset'] ==$offset) ?'SELECTED':'';
- $tag=($offset)?"GMT $offset ($tz)":" GMT ($tz)";
- ?>
- <option value="<?php echo $offset; ?>"<?php echo $selected; ?>><?php echo $tag; ?></option>
- <?php
- } ?>
- </select>
- </td>
- </tr>
- <tr>
- <th>Daylight Saving:</th>
- <td>
- <input type="checkbox" name="enable_daylight_saving" <?php echo $config['enable_daylight_saving'] ? 'checked': ''; ?>>Observe daylight savings
- </td>
- </tr>
- </table>
-
- <table width="100%" border="0" cellspacing=0 cellpadding=2 class="tform">
- <tr class="header"><td colspan=2>Ticket Options & Settings</td></tr>
- <tr class="subheader"><td colspan=2>If enabled ticket lock get auto-renewed on form activity.</td></tr>
- <tr><th valign="top">Ticket IDs:</th>
- <td>
- <input type="radio" name="random_ticket_ids" value="0" <?php echo !$config['random_ticket_ids']?'checked':''; ?> /> Sequential
- <input type="radio" name="random_ticket_ids" value="1" <?php echo $config['random_ticket_ids']?'checked':''; ?> />Random (recommended)
- </td>
- </tr>
- <tr><th valign="top">Ticket Priority:</th>
- <td>
- <select name="default_priority_id">
- <?php
- $priorities= db_query('SELECT priority_id,priority_desc FROM '.TICKET_PRIORITY_TABLE);
- while (list($id,$tag) = db_fetch_row($priorities)){ ?>
- <option value="<?php echo $id; ?>"<?php echo ($config['default_priority_id']==$id)?'selected':''; ?>><?php echo $tag; ?></option>
- <?php
- } ?>
- </select> Default priority<br/>
- <input type="checkbox" name="allow_priority_change" <?php echo $config['allow_priority_change'] ?'checked':''; ?>>
- Allow user to overwrite/set priority (new web tickets)<br/>
- <input type="checkbox" name="use_email_priority" <?php echo $config['use_email_priority'] ?'checked':''; ?> >
- Use email priority when available (new emailed tickets)
-
- </td>
- </tr>
- <tr><th>Maximum <b>Open</b> Tickets:</th>
- <td>
- <input type="text" name="max_open_tickets" size=4 value="<?php echo $config['max_open_tickets']; ?>">
- per email. (<i>Helps with spam and flood control. Enter 0 for unlimited</i>)
- </td>
- </tr>
- <tr><th>Auto-Lock Time:</td>
- <td>
- <input type="text" name="autolock_minutes" size=4 value="<?php echo $config['autolock_minutes']; ?>">
- <font class="error"><?php echo $errors['autolock_minutes']; ?></font>
- (<i>Minutes to lock a ticket on activity. Enter 0 to disable locking</i>)
- </td>
- </tr>
- <tr><th>Ticket Grace Period:</th>
- <td>
- <input type="text" name="overdue_grace_period" size=4 value="<?php echo $config['overdue_grace_period']; ?>">
- (<i>Hours before ticket is marked overdue. Enter 0 to disable aging.</i>)
- </td>
- </tr>
- <tr><th>Reopened Tickets:</th>
- <td>
- <input type="checkbox" name="auto_assign_reopened_tickets" <?php echo $config['auto_assign_reopened_tickets'] ? 'checked': ''; ?>>
- Auto-assign reopened tickets to last respondent 'available'. (<i> 3 months limit</i>)
- </td>
- </tr>
- <tr><th>Assigned Tickets:</th>
- <td>
- <input type="checkbox" name="show_assigned_tickets" <?php echo $config['show_assigned_tickets']?'checked':''; ?>>
- Show assigned tickets on open queue.
- </td>
- </tr>
- <tr><th>Answered Tickets:</th>
- <td>
- <input type="checkbox" name="show_answered_tickets" <?php echo $config['show_answered_tickets']?'checked':''; ?>>
- Show answered tickets on open queue.
- </td>
- </tr>
- <tr><th>Ticket Activity Log:</th>
- <td>
- <input type="checkbox" name="log_ticket_activity" <?php echo $config['log_ticket_activity']?'checked':''; ?>>
- Log ticket's activity as internal notes.
- </td>
- </tr>
- <tr><th>Staff Identity:</th>
- <td>
- <input type="checkbox" name="hide_staff_name" <?php echo $config['hide_staff_name']?'checked':''; ?>>
- Hide staff's name on responses.
- </td>
- </tr>
- <tr><th>Human Verification:</th>
- <td>
- <?php
- if($config['enable_captcha'] && !$errors['enable_captcha']) { ?>
- <img src="../captcha.php" border="0" align="left">
- <?php } ?>
- <input type="checkbox" name="enable_captcha" <?php echo $config['enable_captcha']?'checked':''; ?>>
- Enable captcha on new web tickets. <font class="error"> <?php echo $errors['enable_captcha']; ?></font><br/>
- </td>
- </tr>
-
- </table>
- <table width="100%" border="0" cellspacing=0 cellpadding=2 class="tform">
- <tr class="header"><td colspan=2 >Email Settings</td></tr>
- <tr class="subheader"><td colspan=2>Note that global settings can be disabled at dept/email level.</td></tr>
- <tr><th valign="top"><br><b>Incoming Emails</b>:</th>
- <td><i>For mail fetcher (POP/IMAP) to work you must set a cron job or simply enable auto-cron</i><br/>
- <input type="checkbox" name="enable_mail_fetch" value=1 <?php echo $config['enable_mail_fetch']? 'checked': ''; ?> > Enable POP/IMAP email fetch
- (<i>Global setting which can be disabled at email level</i>) <br/>
- <input type="checkbox" name="enable_email_piping" value=1 <?php echo $config['enable_email_piping']? 'checked': ''; ?> > Enable email piping
- (<i>You pipe we accept policy</i>)<br/>
- <input type="checkbox" name="strip_quoted_reply" <?php echo $config['strip_quoted_reply'] ? 'checked':''; ?>>
- Strip quoted reply (<i>depends on the tag below</i>)<br/>
- <input type="text" name="reply_separator" value="<?php echo $config['reply_separator']; ?>"> Reply Separator Tag
- <font class="error"> <?php echo $errors['reply_separator']; ?></font>
- </td>
- </tr>
- <tr><th valign="top"><br><b>Outgoing Emails</b>:</th>
- <td>
- <i><b>Default Email:</b> Only applies to outgoing emails with no SMTP settings.</i><br/>
- <select name="default_smtp_id"
- onChange="document.getElementById('overwrite').style.display=(this.options[this.selectedIndex].value>0)?'block':'none';">
- <option value=0>Select One</option>
- <option value=0 selected="selected">None: Use PHP mail function</option>
- <?php
- $emails=db_query('SELECT email_id,email,name,smtp_host FROM '.EMAIL_TABLE.' WHERE smtp_active=1');
- if($emails && db_num_rows($emails)) {
- while (list($id,$email,$name,$host) = db_fetch_row($emails)){
- $email=$name?"$name <$email>":$email;
- $email=sprintf('%s (%s)',$email,$host);
- ?>
- <option value="<?php echo $id; ?>"<?php echo ($config['default_smtp_id']==$id)?'selected="selected"':''; ?>><?php echo $email; ?></option>
- <?php
- }
- } ?>
- </select> <font class="error"> <?php echo $errors['default_smtp_id']; ?></font><br/>
- <span id="overwrite" style="display:<?php echo ($config['default_smtp_id']?'display':'none'); ?>">
- <input type="checkbox" name="spoof_default_smtp" <?php echo $config['spoof_default_smtp'] ? 'checked':''; ?>>
- Allow spoofing (No Overwrite). <font class="error"> <?php echo $errors['spoof_default_smtp']; ?></font><br/>
- </span>
- </td>
- </tr>
- <tr><th>Default System Email:</th>
- <td>
- <select name="default_email_id">
- <option value=0 disabled>Select One</option>
- <?php
- $emails=db_query('SELECT email_id,email,name FROM '.EMAIL_TABLE);
- while (list($id,$email,$name) = db_fetch_row($emails)){
- $email=$name?"$name <$email>":$email;
- ?>
- <option value="<?php echo $id; ?>"<?php echo ($config['default_email_id']==$id)?'selected':''; ?>><?php echo $email; ?></option>
- <?php
- } ?>
- </select>
- <font class="error">* <?php echo $errors['default_email_id']; ?></font></td>
- </tr>
- <tr><th valign="top">Default Alert Email:</th>
- <td>
- <select name="alert_email_id">
- <option value=0 disabled>Select One</option>
- <option value=0 selected="selected">Use Default System Email (above)</option>
- <?php
- $emails=db_query('SELECT email_id,email,name FROM '.EMAIL_TABLE.' WHERE email_id != '.db_input($config['default_email_id']));
- while (list($id,$email,$name) = db_fetch_row($emails)){
- $email=$name?"$name <$email>":$email;
- ?>
- <option value="<?php echo $id; ?>"<?php echo ($config['alert_email_id']==$id)?'selected':''; ?>><?php echo $email; ?></option>
- <?php
- } ?>
- </select>
- <font class="error">* <?php echo $errors['alert_email_id']; ?></font>
- <br/><i>Used to send out alerts and notices to staff.</i>
- </td>
- </tr>
- <tr><th>System Admin Email Address:</th>
- <td>
- <input type="text" size=25 name="admin_email" value="<?php echo $config['admin_email']; ?>">
- <font class="error">* <?php echo $errors['admin_email']; ?></font></td>
- </tr>
- </table>
-
- <table width="100%" border="0" cellspacing=0 cellpadding=2 class="tform">
- <tr class="header"><td colspan=2>Autoresponders (Global Setting)</td></tr>
- <tr class="subheader"><td colspan=2">This is global setting which can be disabled at department level.</td></tr>
- <tr><th valign="top">New Ticket:</th>
- <td><i>Autoresponse includes the ticket ID required to check status of the ticket</i><br>
- <input type="radio" name="ticket_autoresponder" value="1" <?php echo $config['ticket_autoresponder']?'checked':''; ?> />Enable
- <input type="radio" name="ticket_autoresponder" value="0" <?php echo !$config['ticket_autoresponder']?'checked':''; ?> />Disable
- </td>
- </tr>
- <tr><th valign="top">New Ticket by Staff:</th>
- <td><i>Notice sent when staff creates a ticket on behalf of the user (Staff can disable)</i><br>
- <input type="radio" name="ticket_notice_active" value="1" <?php echo $config['ticket_notice_active']?'checked':''; ?> />Enable
- <input type="radio" name="ticket_notice_active" value="0" <?php echo !$config['ticket_notice_active']?'checked':''; ?> />Disable
- </td>
- </tr>
- <tr><th valign="top">New Message:</th>
- <td><i>Message appended to an existing ticket confirmation</i><br>
- <input type="radio" name="message_autoresponder" value="1" <?php echo $config['message_autoresponder']?'checked':''; ?> />Enable
- <input type="radio" name="message_autoresponder" value="0" <?php echo !$config['message_autoresponder']?'checked':''; ?> />Disable
- </td>
- </tr>
- <tr><th valign="top">Overlimit notice:</th>
- <td><i>Ticket denied notice sent <b>only once</b> on limit violation to the user.</i><br/>
- <input type="radio" name="overlimit_notice_active" value="1" <?php echo $config['overlimit_notice_active']?'checked':''; ?> />Enable
- <input type="radio" name="overlimit_notice_active" value="0" <?php echo !$config['overlimit_notice_active']?'checked':''; ?> />Disable
- <br><i><b>Note:</b> Admin gets alerts on ALL denials by default.</i><br>
- </td>
- </tr>
- </table>
- <table width="100%" border="0" cellspacing=0 cellpadding=2 class="tform">
- <tr class="header"><td colspan=2> Alerts & Notices</td></tr>
- <tr class="subheader"><td colspan=2>
- Notices sent to user use 'No Reply Email' whereas alerts to staff use 'Alert Email' set above as FROM address respectively.</td>
- </tr>
- <tr><th valign="top">New Ticket Alert:</th>
- <td>
- <input type="radio" name="ticket_alert_active" value="1" <?php echo $config['ticket_alert_active']?'checked':''; ?> />Enable
- <input type="radio" name="ticket_alert_active" value="0" <?php echo !$config['ticket_alert_active']?'checked':''; ?> />Disable
- <br><i>Select recipients</i> <font class="error"> <?php echo $errors['ticket_alert_active']; ?></font><br>
- <input type="checkbox" name="ticket_alert_admin" <?php echo $config['ticket_alert_admin']?'checked':''; ?>> Admin Email
- <input type="checkbox" name="ticket_alert_dept_manager" <?php echo $config['ticket_alert_dept_manager']?'checked':''; ?>> Department Manager
- <input type="checkbox" name="ticket_alert_dept_members" <?php echo $config['ticket_alert_dept_members']?'checked':''; ?>> Department Members (spammy)
- </td>
- </tr>
- <tr><th valign="top">New Message Alert:</th>
- <td>
- <input type="radio" name="message_alert_active" value="1" <?php echo $config['message_alert_active']?'checked':''; ?> />Enable
- <input type="radio" name="message_alert_active" value="0" <?php echo !$config['message_alert_active']?'checked':''; ?> />Disable
- <br><i>Select recipients</i> <font class="error"> <?php echo $errors['message_alert_active']; ?></font><br>
- <input type="checkbox" name="message_alert_laststaff" <?php echo $config['message_alert_laststaff']?'checked':''; ?>> Last Respondent
- <input type="checkbox" name="message_alert_assigned" <?php echo $config['message_alert_assigned']?'checked':''; ?>> Assigned Staff
- <input type="checkbox" name="message_alert_dept_manager" <?php echo $config['message_alert_dept_manager']?'checked':''; ?>> Department Manager (spammy)
- </td>
- </tr>
- <tr><th valign="top">New Internal Note Alert:</th>
- <td>
- <input type="radio" name="note_alert_active" value="1" <?php echo $config['note_alert_active']?'checked':''; ?> />Enable
- <input type="radio" name="note_alert_active" value="0" <?php echo !$config['note_alert_active']?'checked':''; ?> />Disable
- <br><i>Select recipients</i> <font class="error"> <?php echo $errors['note_alert_active']; ?></font><br>
- <input type="checkbox" name="note_alert_laststaff" <?php echo $config['note_alert_laststaff']?'checked':''; ?>> Last Respondent
- <input type="checkbox" name="note_alert_assigned" <?php echo $config['note_alert_assigned']?'checked':''; ?>> Assigned Staff
- <input type="checkbox" name="note_alert_dept_manager" <?php echo $config['note_alert_dept_manager']?'checked':''; ?>> Department Manager (spammy)
- </td>
- </tr>
- <tr><th valign="top">Overdue Ticket Alert:</th>
- <td>
- <input type="radio" name="overdue_alert_active" value="1" <?php echo $config['overdue_alert_active']?'checked':''; ?> />Enable
- <input type="radio" name="overdue_alert_active" value="0" <?php echo !$config['overdue_alert_active']?'checked':''; ?> />Disable
- <br><i>Admin Email gets an alert by default. Select additional recipients below</i> <font class="error"> <?php echo $errors['overdue_alert_active']; ?></font><br>
- <input type="checkbox" name="overdue_alert_assigned" <?php echo $config['overdue_alert_assigned']?'checked':''; ?>> Assigned Staff
- <input type="checkbox" name="overdue_alert_dept_manager" <?php echo $config['overdue_alert_dept_manager']?'checked':''; ?>> Department Manager
- <input type="checkbox" name="overdue_alert_dept_members" <?php echo $config['overdue_alert_dept_members']?'checked':''; ?>> Department Members (spammy)
- </td>
- </tr>
- <tr><th valign="top">System Errors:</th>
- <td><i>Enabled errors are sent to admin email set above</i><br>
- <input type="checkbox" name="send_sys_errors" <?php echo $config['send_sys_errors']?'checked':'checked'; ?> disabled>System Errors
- <input type="checkbox" name="send_sql_errors" <?php echo $config['send_sql_errors']?'checked':''; ?>>SQL errors
- <input type="checkbox" name="send_login_errors" <?php echo $config['send_login_errors']?'checked':''; ?>>Excessive Login attempts
- </td>
- </tr>
-
- </table>
- </td></tr>
- <tr>
- <td style="padding:10px 0 10px 240px;">
- <input class="button" type="submit" name="submit" value="Save Changes">
- <input class="button" type="reset" name="reset" value="Reset Changes">
- </td>
- </tr>
- </form>
-</table>
diff --git a/include/staff/profile.inc.php b/include/staff/profile.inc.php
index 39eaf80a54e0aa53611239b0fdccacfbfb38ceeb..073a7c8a44229e1b18bf7b7b4cc738d8689d8396 100644
--- a/include/staff/profile.inc.php
+++ b/include/staff/profile.inc.php
@@ -6,6 +6,7 @@ $info=Format::htmlchars(($errors && $_POST)?$_POST:$info);
$info['id']=$staff->getId();
?>
<form action="profile.php" method="post" id="save" autocomplete="off">
+ <?php csrf_token(); ?>
<input type="hidden" name="do" value="update">
<input type="hidden" name="id" value="<?php echo $info['id']; ?>">
<h2>My Account Profile</h2>
diff --git a/include/staff/settings-alerts.inc.php b/include/staff/settings-alerts.inc.php
index a71b9e8a88d8da1ff155de7f73bff66ef6089aa8..5bb5d393246ede7266440c30a7e9f5e41df8cc8e 100644
--- a/include/staff/settings-alerts.inc.php
+++ b/include/staff/settings-alerts.inc.php
@@ -1,4 +1,5 @@
<form action="settings.php?t=alerts" method="post" id="save">
+<?php csrf_token(); ?>
<input type="hidden" name="t" value="alerts" >
<table class="form_table settings_table" width="940" border="0" cellspacing="0" cellpadding="2">
<thead>
diff --git a/include/staff/settings-attachments.inc.php b/include/staff/settings-attachments.inc.php
index 572c5da5a52db9fcfda21a49069efb21d7c5deb0..b381fa40d334f9f2c9077f91698c6ec90aa31491 100644
--- a/include/staff/settings-attachments.inc.php
+++ b/include/staff/settings-attachments.inc.php
@@ -4,6 +4,7 @@ if(!($maxfileuploads=ini_get('max_file_uploads')))
?>
<form action="settings.php?t=attachments" method="post" id="save">
+<?php csrf_token(); ?>
<input type="hidden" name="t" value="attachments" >
<table class="form_table settings_table" width="940" border="0" cellspacing="0" cellpadding="2">
<thead>
diff --git a/include/staff/settings-autoresponders.inc.php b/include/staff/settings-autoresponders.inc.php
index 70bddc826e47c4000b8afca8c35998d36384486d..106e7f3f4d7063a6bcb4835cdbd07006b6f16b5c 100644
--- a/include/staff/settings-autoresponders.inc.php
+++ b/include/staff/settings-autoresponders.inc.php
@@ -1,4 +1,5 @@
<form action="settings.php?t=autoresponders" method="post" id="save">
+<?php csrf_token(); ?>
<input type="hidden" name="t" value="autoresponders" >
<table class="form_table settings_table" width="940" border="0" cellspacing="0" cellpadding="2">
<thead>
diff --git a/include/staff/settings-dates.inc.php b/include/staff/settings-dates.inc.php
index 0434e94c73313ee76c790ddb90315d16636b0afb..f8085cfc3193342bf1bd6c66df87b48d9dcf5edd 100644
--- a/include/staff/settings-dates.inc.php
+++ b/include/staff/settings-dates.inc.php
@@ -2,6 +2,7 @@
$gmtime=Misc::gmtime();
?>
<form action="settings.php?t=dates" method="post" id="save">
+<?php csrf_token(); ?>
<input type="hidden" name="t" value="dates" >
<table class="form_table settings_table" width="940" border="0" cellspacing="0" cellpadding="2">
<thead>
diff --git a/include/staff/settings-emails.inc.php b/include/staff/settings-emails.inc.php
index 017eb29ec14b00dbc2575d812d5f3a2aa5727f3e..e4ccaf3a4e69329c15d474bfd3f136f9a8fe17f9 100644
--- a/include/staff/settings-emails.inc.php
+++ b/include/staff/settings-emails.inc.php
@@ -1,4 +1,5 @@
<form action="settings.php?t=emails" method="post" id="save">
+<?php csrf_token(); ?>
<input type="hidden" name="t" value="emails" >
<table class="form_table settings_table" width="940" border="0" cellspacing="0" cellpadding="2">
<thead>
diff --git a/include/staff/settings-general.inc.php b/include/staff/settings-general.inc.php
index 2e1e347bef5c45eab3826c2b263a59149cb32fc4..20bbd94866960d2e06ae4d3451825d5752c853ac 100644
--- a/include/staff/settings-general.inc.php
+++ b/include/staff/settings-general.inc.php
@@ -1,4 +1,5 @@
<form action="settings.php?t=general" method="post" id="save">
+<?php csrf_token(); ?>
<input type="hidden" name="t" value="general" >
<table class="form_table settings_table" width="940" border="0" cellspacing="0" cellpadding="2">
<thead>
diff --git a/include/staff/settings-kb.inc.php b/include/staff/settings-kb.inc.php
index 2d368b3bac7702f9a8ff9e76f1c1edd645a1799e..6fe8433f5ee580c5a201a42518652106af63d313 100644
--- a/include/staff/settings-kb.inc.php
+++ b/include/staff/settings-kb.inc.php
@@ -1,6 +1,5 @@
-<?php
-?>
<form action="settings.php?t=kb" method="post" id="save">
+<?php csrf_token(); ?>
<input type="hidden" name="t" value="kb" >
<table class="form_table settings_table" width="940" border="0" cellspacing="0" cellpadding="2">
<thead>
diff --git a/include/staff/settings-tickets.inc.php b/include/staff/settings-tickets.inc.php
index 5ada80f48bca4edfb7221e6916aa5e46efb85d94..280abca08ea44d698e0a41b56b1d8d0a62cd1693 100644
--- a/include/staff/settings-tickets.inc.php
+++ b/include/staff/settings-tickets.inc.php
@@ -1,4 +1,5 @@
<form action="settings.php?t=tickets" method="post" id="save">
+<?php csrf_token(); ?>
<input type="hidden" name="t" value="tickets" >
<table class="form_table settings_table" width="940" border="0" cellspacing="0" cellpadding="2">
<thead>
diff --git a/include/staff/settings.php b/include/staff/settings.php
deleted file mode 100644
index 1dac69a5c1e8ce899e2c6b79ce5d85cb90c79d84..0000000000000000000000000000000000000000
--- a/include/staff/settings.php
+++ /dev/null
@@ -1,721 +0,0 @@
-<?php include "./include/header.php" ?>
-<h2>System Preferences and Settings (v1.6 ST)</h2>
-
-<form action="settings.php" method="post">
-<br>
-<a href="#" class="expand_all">Expand All</a> |
-<a href="#" class="collapse_all">Collapse All</a>
-<table class="form_table settings_table" width="940" border="0" cellspacing="0" cellpadding="2">
- <thead>
- <tr>
- <th colspan="2">
- <h4><a href="#"><span>–</span> General Settings</a></h4>
- <em>Offline mode will disable client interface and only allow super admins to login to Staff Control Panel</em>
- </th>
- </tr>
- </thead>
- <tbody>
- <tr>
- <td width="220" class="required">
- Helpdesk Status:
- </td>
- <td>
- <input type="radio" name="isonline" value="1" checked="checked"><strong>Online</strong> (Active)
- <input type="radio" name="isonline" value="0"><strong>Offline</strong> (Disabled)
- <span class="warn"> </span>
- </td>
- </tr>
- <tr>
- <td width="220" class="required">
- Helpdesk URL:
- </td>
- <td>
- <input type="text" size="40" name="helpdesk_url" value="http://helpdesk.enhancesoft.com/">
- <span class="error"> </span>
- </td>
- </tr>
- <tr>
- <td width="220">
- Helpdesk Name/Title:
- </td>
- <td>
- <input type="text" size="40" name="helpdesk_title" value="Enhancesoft :: Support Ticket System">
- </td>
- </tr>
- <tr>
- <td width="220" class="required">
- Default E-Mail Templates:
- </td>
- <td>
- <select name="default_template_id">
- <option value="0">Select Default Template</option>
- <option value="1">osTicket Default Template</option>
- <option value="3" selected="selected">No Links</option>
- </select>
- <span class="error"> </span>
- </td>
- </tr>
- <tr>
- <td width="220" class="required">
- Default Department:
- </td>
- <td>
- <select name="default_dept_id">
- <option value="0">Select Default Dept</option>
- <option value="1" selected="selected">Support Dept</option>
- <option value="2">Billing Dept</option>
- <option value="4">Test Dept</option>
- </select>
- <span class="error"> </span>
- </td>
- </tr>
- <tr>
- <td width="220">
- Default Page Size:
- </td>
- <td>
- <select name="max_page_size">
- <option value="5">5</option>
- <option value="10">10</option>
- <option value="15">15</option>
- <option value="20">20</option>
- <option value="25" selected="selected">25</option>
- <option value="30">30</option>
- <option value="35">35</option>
- <option value="40">40</option>
- <option value="45">45</option>
- <option value="50">50</option>
- </select>
- </td>
- </tr>
- <tr>
- <td width="220">
- Default Log Level:
- </td>
- <td>
- <select name="log_level">
- <option value="0">None (Disable Logger)</option>
- <option value="3">DEBUG</option>
- <option value="2" selected="selected">WARN</option>
- <option value="1">ERROR</option>
- </select>
- </td>
- </tr>
- <tr>
- <td width="220">
- Purge Logs:
- </td>
- <td>
- <select name="log_graceperiod">
- <option value="0" selected>Never Purge Logs</option>
- <option value="1">After 1 Month</option>
- <option value="2">After 2 Months</option>
- <option value="3">After 3 Months</option>
- <option value="4">After 4 Months</option>
- <option value="5">After 5 Months</option>
- <option value="6">After 6 Months</option>
- <option value="7">After 7 Months</option>
- <option value="8">After 8 Months</option>
- <option value="9">After 9 Months</option>
- <option value="10">After 10 Months</option>
- <option value="11">After 11 Months</option>
- <option value="12">After 12 Months</option>
- </select>
- </td>
- </tr>
- <tr>
- <td width="220">
- Excessive Staff Logins:
- </td>
- <td>
- <select name="staff_max_logins">
- <option value="1">1</option>
- <option value="2">2</option>
- <option value="3">3</option>
- <option value="4" selected="selected">4</option>
- <option value="5">5</option>
- <option value="6">6</option>
- <option value="7">7</option>
- <option value="8">8</option>
- <option value="9">9</option>
- <option value="10">10</option>
- </select> failed login attempt(s) allowed before a
- <select name="staff_login_timeout">
- <option value="1">1</option>
- <option value="2" selected="selected">2</option>
- <option value="3">3</option>
- <option value="4">4</option>
- <option value="5">5</option>
- <option value="6">6</option>
- <option value="7">7</option>
- <option value="8">8</option>
- <option value="9">9</option>
- <option value="10">10</option>
- </select> minute lock-out is enforced.
- </td>
- </tr>
- <tr>
- <td width="220">
- Staff Session Timeout:
- </td>
- <td>
- <input type="text" name="staff_session_timeout" size="4" value="0">
- Maximum idle time in minutes before a staff member must log in again (enter 0 to disable).
- </td>
- </tr>
- <tr>
- <td width="220">
- Staff Session IP Binding:
- </td>
- <td>
- <input type="checkbox" name="staff_ip_binding" checked="checked" value="1">
- <em>(binds staff session to originating IP address upon login)</em>
- </td>
- </tr>
- <tr>
- <td width="220">
- Excessive Client Logins:
- </td>
- <td>
- <select name="client_max_logins">
- <option value="1">1</option>
- <option value="2">2</option>
- <option value="3">3</option>
- <option value="4" selected="selected">4</option>
- <option value="5">5</option>
- <option value="6">6</option>
- <option value="7">7</option>
- <option value="8">8</option>
- <option value="9">9</option>
- <option value="10">10</option>
- </select> failed login attempt(s) allowed before a
- <select name="client_login_timeout">
- <option value="1">1</option>
- <option value="2" selected="selected">2</option>
- <option value="3">3</option>
- <option value="4">4</option>
- <option value="5">5</option>
- <option value="6">6</option>
- <option value="7">7</option>
- <option value="8">8</option>
- <option value="9">9</option>
- <option value="10">10</option>
- </select> minute lock-out is enforced.
- </td>
- </tr>
- <tr>
- <td width="220">
- Client Session Timeout:
- </td>
- <td>
- <input type="text" name="client_session_timeout" size="4" value="0">
- Maximum idle time in minutes before a client must log in again (enter 0 to disable).
- </td>
- </tr>
- <tr>
- <td width="220">
- Clickable URLs:
- </td>
- <td>
- <input type="checkbox" name="clickable_urls" checked="checked" value="1">
- <em>(converts URLs in messages to clickable links)</em>
- </td>
- </tr>
- <tr>
- <td width="220">
- Enable Auto-cron:
- </td>
- <td>
- <input type="checkbox" name="enable_auto_cron" value="1">
- <em>(executes cron jobs based on staff activity - not recommended)</em>
- </td>
- </tr>
- </tbody>
-</table>
-
-<table class="form_table settings_table" width="940" border="0" cellspacing="0" cellpadding="2">
- <thead>
- <tr>
- <th colspan="2">
- <h4><a href="#"><span>–</span> Date and Time Settings</a></h4>
- <em>Please refer to <a href="http://php.net/date" target="_blank">PHP Manual</a> for supported parameters.</em>
- </th>
- </tr>
- </thead>
- <tbody>
- <tr>
- <td width="220" class="required">
- Time Format:
- </td>
- <td>
- <input type="text" name="time_format" value="h:i A">
- <span class="error"> </span>
- <em> 09:24 AM</em>
- </td>
- </tr>
- <tr>
- <td width="220" class="required">
- Date Format:
- </td>
- <td>
- <input type="text" name="date_format" value="m/d/Y">
- <span class="error"> </span>
- <em>05/06/2011</em>
- </td>
- </tr>
- <tr>
- <td width="220" class="required">
- Date & Time Format:
- </td>
- <td>
- <input type="text" name="datetime_format" value="m/d/Y g:i a">
- <span class="error"> </span>
- <em>05/06/2011 9:24 am</em>
- </td>
- </tr>
- <tr>
- <td width="220" class="required">
- Day, Date & Time Format:
- </td>
- <td>
- <input type="text" name="daydatetime_format" value="D, M j Y g:ia">
- <span class="error">* </span>
- <em>Fri, May 6 2011 9:24am</em>
- </td>
- </tr>
- <tr>
- <td width="220">
- Default Timezone:
- </td>
- <td>
- <select name="timezone_offset">
- <option value="0">Server Time (GMT 0:00)</option> <option value="-12.0">GMT -12.0 (Eniwetok, Kwajalein)</option>
- <option value="-11.0">GMT -11.0 (Midway Island, Samoa)</option>
- <option value="-10.0">GMT -10.0 (Hawaii)</option>
- <option value="-9.0">GMT -9.0 (Alaska)</option>
- <option value="-8.0">GMT -8.0 (Pacific Time (US & Canada))</option>
- <option value="-7.0">GMT -7.0 (Mountain Time (US & Canada))</option>
- <option value="-6.0">GMT -6.0 (Central Time (US & Canada), Mexico City)</option>
- <option value="-5.0" selected="selected">GMT -5.0 (Eastern Time (US & Canada), Bogota, Lima)</option>
- <option value="-4.0">GMT -4.0 (Atlantic Time (Canada), Caracas, La Paz)</option>
- <option value="-3.5">GMT -3.5 (Newfoundland)</option>
- <option value="-3.0">GMT -3.0 (Brazil, Buenos Aires, Georgetown)</option>
- <option value="-2.0">GMT -2.0 (Mid-Atlantic)</option>
- <option value="-1.0">GMT -1.0 (Azores, Cape Verde Islands)</option>
- <option value="0.0">GMT 0.0 (Western Europe Time, London, Lisbon, Casablanca)</option>
- <option value="1.0">GMT 1.0 (Brussels, Copenhagen, Madrid, Paris)</option>
- <option value="2.0">GMT 2.0 (Kaliningrad, South Africa)</option>
- <option value="3.0">GMT 3.0 (Baghdad, Riyadh, Moscow, St. Petersburg)</option>
- <option value="3.5">GMT 3.5 (Tehran)</option>
- <option value="4.0">GMT 4.0 (Abu Dhabi, Muscat, Baku, Tbilisi)</option>
- <option value="4.5">GMT 4.5 (Kabul)</option>
- <option value="5.0">GMT 5.0 (Ekaterinburg, Islamabad, Karachi, Tashkent)</option>
- <option value="5.5">GMT 5.5 (Bombay, Calcutta, Madras, New Delhi)</option>
- <option value="6.0">GMT 6.0 (Almaty, Dhaka, Colombo)</option>
- <option value="7.0">GMT 7.0 (Bangkok, Hanoi, Jakarta)</option>
- <option value="8.0">GMT 8.0 (Beijing, Perth, Singapore, Hong Kong)</option>
- <option value="9.0">GMT 9.0 (Tokyo, Seoul, Osaka, Sapporo, Yakutsk)</option>
- <option value="9.5">GMT 9.5 (Adelaide, Darwin)</option>
- <option value="10.0">GMT 10.0 (Eastern Australia, Guam, Vladivostok)</option>
- <option value="11.0">GMT 11.0 (Magadan, Solomon Islands, New Caledonia)</option>
- <option value="12.0">GMT 12.0 (Auckland, Wellington, Fiji, Kamchatka)</option>
- </select>
- </td>
- </tr>
- <tr>
- <td width="220">
- Daylight Savings
- </td>
- <td>
- <input type="checkbox" name="daylight_savings" value="1">
- <em>observe daylight savings time</em>
- </td>
- </tr>
- </tbody>
-</table>
-<table class="form_table settings_table" width="940" border="0" cellspacing="0" cellpadding="2">
- <thead>
- <tr>
- <th colspan="2">
- <h4><a href="#"><span>–</span> Ticket Options and Settings</a></h4>
- <em>If enabled ticket lock get auto-renewed on form activity.</em>
- </th>
- </tr>
- </thead>
- <tbody>
- <tr>
- <td width="220">
- Ticket IDs:
- </td>
- <td>
- <input type="radio" name="random_ticket_ids" value="0"> Sequential
- <input type="radio" name="random_ticket_ids" value="1" checked="checked">Random (recommended)
- </td>
- </tr>
- <tr>
- <td width="220" class="multi-line">
- Ticket Priority:
- </td>
- <td>
- <select name="default_priority_id">
- <option value="1">Low</option>
- <option value="2" selected="selected">Normal</option>
- <option value="3">High</option>
- <option value="4">Emergency</option>
- </select> Default Priority<br>
- <input type="checkbox" name="allow_priority_change" >
- Allow user to overwrite/set priority (new web tickets)<br>
-
- <input type="checkbox" name="use_email_priority" >
- Use email priority when available (new emailed tickets)
- </td>
- </tr>
- <tr>
- <td width="220">
- Maximum <strong>Open</strong> Tickets:
- </td>
- <td>
- <input type="text" name="max_open_tickets" size="4" value="0">
- per email <em>(helps with spam and flood control - enter 0 for unlimited)</em>
- </td>
- </tr>
- <tr>
- <td width="220">
- Ticket Auto-lock Time:
- </td>
- <td>
- <input type="text" name="autolock_minutes" size="4" value="3">
- <em>(minutes to lock a ticket on activity - enter 0 to disable locking)</em>
- </td>
- </tr>
- <tr>
- <td width="220">
- Ticket Grace Period:
- </td>
- <td>
- <input type="text" name="overdue_grace_period" size=4 value="0">
- <em>(hours before ticket is marked overdue - enter 0 to disable aging)</em>
- </td>
- </tr>
- <tr>
- <td width="220">
- Reopened Tickets:
- </td>
- <td>
- <input type="checkbox" name="auto_assign_reopened_tickets" checked="checked">
- Auto-assign reopened tickets to last available respondent. <em>(3 months limit)</em>
- </td>
- </tr>
- <tr>
- <td width="220">
- Assigned Tickets:
- </td>
- <td>
- <input type="checkbox" name="show_assigned_tickets">
- Show assigned tickets on open queue.
- </td>
- </tr>
- <tr>
- <td width="220">
- Answered Tickets:
- </td>
- <td>
- <input type="checkbox" name="show_nswered_tickets">
- Show answered tickets on open queue.
- </td>
- </tr>
- <tr>
- <td width="220">
- Ticket Activity Log:
- </td>
- <td>
- <input type="checkbox" name="log_ticket_activity">
- Log ticket activity as an internal note.
- </td>
- </tr>
- <tr>
- <td width="220">
- Staff Identity Masking:
- </td>
- <td>
- <input type="checkbox" name="hide_staff_name">
- Hide staff's name on responses.
- </td>
- </tr>
- <tr>
- <td width="220">
- Human Verification:
- </td>
- <td>
- <input type="checkbox" name="enable_captcha">
- Enable CAPTCHA on new web tickets.
- <em>(requires GDLib)</em>
- </td>
- </tr>
- </tbody>
-</table>
-<table class="form_table settings_table" width="940" border="0" cellspacing="0" cellpadding="2">
- <thead>
- <tr>
- <th colspan="2">
- <h4><a href="#"><span>–</span> E-mail Settings</a></h4>
- <em>Note that global settings can be disabled at dept/e-mail level.</em>
- </th>
- </tr>
- </thead>
- <tbody>
- <tr>
- <td width="220" class="required multi-line">
- Incoming Email:
- <br><em>For mail fetcher (POP/IMAP) to work you must set a cron job or enable auto-cron</em>
- </td>
- <td>
- <input type="checkbox" name="enable_mail_fetch" value="1" checked="checked"> Enable POP/IMAP email fetch
- <em>(Global setting which can be disabled at email level)</em><br>
-
- <input type="checkbox" name="enable_email_piping" value="1" checked="checked"> Enable email piping
- <em>(You pipe we accept policy)</em><br>
-
- <input type="checkbox" name="strip_quoted_reply" checked="checked">
- Strip quoted reply <em>(depends on the tag below)</em><br><br>
-
- Reply Separator Tag:
- <input type="text" name="reply_separator" value="-- do not edit --">
- <span class="error"> </span>
- </td>
- </tr>
- <tr>
- <td width="220" class="required multi-line">
- Outgoing Email:
- <br><em><strong>Default Email:</strong> Only applies to outgoing emails with no SMTP settings.</em><br/>
-
- </td>
- <td>
- <select name="default_smtp_id" onChange="document.getElementById('overwrite').style.display=(this.options[this.selectedIndex].value>0)?'block':'none';">
- <option value="0">Select One</option>
- <option value="0">None: Use PHP mail function</option>
- <option value="1" selected="selected">osTicket Support <support@osticket.com> (smtp.gmail.com)</option>
- </select>
-
- <span id="overwrite" style="display:display">
- <br><input type="checkbox" name="spoof_default_smtp" >
- Allow spoofing (No Overwrite).
- </span>
- </td>
- </tr>
- <tr>
- <td width="220" class="required">
- Default System E-Mail:
- </td>
- <td>
- <select name="default_email_id">
- <option value="0">Select One</option>
- <option value="1" selected="selected">osTicket Support <support@osticket.com></option>
- <option value="2">osTicket Alerts <alerts@osticket.com></option>
- <option value="3">noreply@osticket.com</option>
- <option value="5">lvcta.com (Test) <support@lvcta.com></option>
- </select>
- </td>
- </tr>
- <tr>
- <td width="220" class="required">
- Default Alert E-Mail:
- </td>
- <td>
- <select name="alert_email_id">
- <option value="0">Select One</option>
- <option value="1">osTicket Support <support@osticket.com></option>
- <option value="2" selected="selected">osTicket Alerts <alerts@osticket.com></option>
- <option value="3">noreply@osticket.com</option>
- <option value="5">lvcta.com (Test) <support@lvcta.com></option>
- </select>
- </td>
- </tr>
- <tr>
- <td width="220" class="required">
- System Admin E-mail Address:
- </td>
- <td>
- <input type="text" size="25" name="admin_email" value="peter@osticket.com">
- <span class="error"> </span>
- </td>
- </tr>
- </tbody>
-</table>
-<table class="form_table settings_table" width="940" border="0" cellspacing="0" cellpadding="2">
- <thead>
- <tr>
- <th colspan="2">
- <h4><a href="#"><span>–</span> Autoresponders (Global Setting)</a></h4>
- <em>This is global setting which can be disabled at department level.</em>
- </th>
- </tr>
- </thead>
- <tbody>
- <tr>
- <td width="220" class="multi-line">
- New Ticket:
- </td>
- <td>
- <em>Autoresponse includes the ticket ID required to check status of the ticket</em><br>
- <input type="radio" name="ticket_autoresponder" value="1">Enable
- <input type="radio" name="ticket_autoresponder" value="0" checked="checked">Disable
- <br><br>
- </td>
- </tr>
- <tr>
- <td width="220" class="multi-line">
- New Ticket by Staff:
- </td>
- <td>
- <em>Notice sent when staff creates a ticket on behalf of the user (Staff can disable)</em><br>
- <input type="radio" name="ticket_notice_active" value="1" checked="checked">Enable
- <input type="radio" name="ticket_notice_active" value="0">Disable
- <br><br>
- </td>
- </tr>
- <tr>
- <td width="220" class="multi-line">
- New Message:
- </td>
- <td>
- <em>Message appended to an existing ticket confirmation</em><br>
- <input type="radio" name="message_autoresponder" value="1">Enable
- <input type="radio" name="message_autoresponder" value="0" checked="checked">Disable
- <br><br>
- </td>
- </tr>
- <tr>
- <td width="220" class="multi-line">
- Ticket Denied:
- </td>
- <td>
- <em>Ticket denied notice sent <strong>only once</strong> on limit violation to the user.</em><br>
- <input type="radio" name="overlimit_notice_active" value="1">Enable
- <input type="radio" name="overlimit_notice_active" value="0" checked="checked">Disable
- <em><strong>Note:</strong> Admin gets alerts on ALL denials by default.</em>
- <br><br>
- </td>
- </tr>
- </tbody>
-</table>
-<table class="form_table settings_table" width="940" border="0" cellspacing="0" cellpadding="2">
- <thead>
- <tr>
- <th colspan="2">
- <h4><a href="#"><span>–</span> Alerts and Notices</a></h4>
- <em>Notices sent to user use 'No Reply Email' whereas alerts to staff use 'Alert Email' set above as FROM address respectively.</em>
- </th>
- </tr>
- </thead>
- <tbody>
- <tr>
- <td width="220" class="multi-line">
- New Ticket Alert:
- </td>
- <td>
- <input type="radio" name="ticket_alert_active" value="1" checked="checked">Enable
- <input type="radio" name="ticket_alert_active" value="0">Disable
- <br>
- <strong>Select recipients:</strong>
- <input type="checkbox" name="ticket_alert_admin" checked="checked"> Admin Email
- <input type="checkbox" name="ticket_alert_dept_manager"> Department Manager
- <input type="checkbox" name="ticket_alert_dept_members"> Department Members (spammy)
- </td>
- </tr>
- <tr>
- <td width="220" class="multi-line">
- New Message Alert:
- </td>
- <td>
- <input type="radio" name="message_alert_active" value="1" checked="checked">Enable
- <input type="radio" name="message_alert_active" value="0">Disable
- <br>
- <strong>Select recipients:</strong>
- <input type="checkbox" name="message_alert_laststaff" checked="checked"> Last Respondent
- <input type="checkbox" name="message_alert_assigned" checked="checked"> Assigned Staff
- <input type="checkbox" name="message_alert_dept_manager"> Department Manager (spammy)
- </td>
- </tr>
- <tr>
- <td width="220">
- New Internal Note Alert:
- </td>
- <td>
- <input type="radio" name="note_alert_active" value="1" checked="checked">Enable
- <input type="radio" name="note_alert_active" value="0">Disable
- <br>
- <strong>Select recipients:</strong>
- <input type="checkbox" name="note_alert_laststaff" checked="checked"> Last Respondent
- <input type="checkbox" name="note_alert_assigned" checked="checked"> Assigned Staff
- <input type="checkbox" name="note_alert_dept_manager"> Department Manager (spammy)
- </td>
- </tr>
- <tr>
- <td width="220" class="multi-line">
- Overdue Ticket Alert:
- </td>
- <td>
- <input type="radio" name="overdue_alert_active" value="1" checked="checked">Enable
- <input type="radio" name="overdue_alert_active" value="0">Disable
- <br>
- <strong>Select recipients:</strong>
- <input type="checkbox" name="overdue_alert_assigned" checked="checked"> Assigned Staff
- <input type="checkbox" name="overdue_alert_dept_manager" checked="checked"> Department Manager
- <input type="checkbox" name="overdue_alert_dept_members"> Department Members (spammy)
- <br><em><strong>Note:</strong> Admin gets all overdue alerts by default.</em>
- </td>
- </tr>
- <tr>
- <td width="220" class="multi-line">
- System Errors:
- </td>
- <td>
- <input type="checkbox" name="send_sys_errors" checked="checked" disabled="disabled">System Errors
- <input type="checkbox" name="send_sql_errors" checked="checked">SQL errors
- <input type="checkbox" name="send_login_errors" checked="checked">Excessive Login attempts
- <br><em>Enabled errors are sent to admin email set above</em>
- </td>
- </tr>
- </tbody>
-</table>
-<p class="centered">
- <input class="btn_sm" type="submit" name="submit" value="Save Changes">
- <input class="btn_sm" type="reset" name="reset" value="Reset Changes">
-</p>
-</form>
-
-<script type="text/javascript">
- jQuery(function($) {
- $('.expand_all').click(function(e) {
- e.preventDefault();
- $('.settings_table tbody').each(function() {
- $(this).slideDown();
- })
- $('.settings_table h4 span').each(function() {
- $(this).html('–');
- })
- })
- $('.collapse_all').click(function(e) {
- e.preventDefault();
- $('.settings_table tbody').each(function() {
- $(this).slideUp();
- })
- $('.settings_table h4 span').each(function() {
- $(this).text('+');
- })
- })
- $('.settings_table h4 a').click(function(e) {
- e.preventDefault();
- var parent_elem = $(this).parent().parent().parent().parent().parent();
- $('tbody', parent_elem).slideToggle();
- if($('th span', parent_elem).text() == '+') {
- $('th span', parent_elem).html('–')
- } else {
- $('th span', parent_elem).text('+')
- }
- })
- });
-</script>
-
-<?php include "./include/footer.php" ?>
diff --git a/include/staff/slaplan.inc.php b/include/staff/slaplan.inc.php
index 70db620e84d83dc66a53cf6c08e1d97ea2b31f24..d9c1574feaa1a2bb80e6dc5145f1461dd0fcd0a0 100644
--- a/include/staff/slaplan.inc.php
+++ b/include/staff/slaplan.inc.php
@@ -21,6 +21,7 @@ if($sla && $_REQUEST['a']!='add'){
$info=Format::htmlchars(($errors && $_POST)?$_POST:$info);
?>
<form action="slas.php?<?php echo $qstr; ?>" method="post" id="save">
+ <?php csrf_token(); ?>
<input type="hidden" name="do" value="<?php echo $action; ?>">
<input type="hidden" name="a" value="<?php echo Format::htmlchars($_REQUEST['a']); ?>">
<input type="hidden" name="id" value="<?php echo $info['id']; ?>">
diff --git a/include/staff/slaplans.inc.php b/include/staff/slaplans.inc.php
index b8997b6a34be75b697624384e0e39006c5c16feb..c30d4459a24e824aa3724e844bdf0deaca14d532 100644
--- a/include/staff/slaplans.inc.php
+++ b/include/staff/slaplans.inc.php
@@ -46,6 +46,7 @@ else
<b><a href="slas.php?a=add" class="Icon newsla">Add New SLA Plan</a></b></div>
<div class="clear"></div>
<form action="slas.php" method="POST" name="slas" onSubmit="return checkbox_checker(this,1,0);">
+ <?php csrf_token(); ?>
<input type="hidden" name="do" value="mass_process" >
<table class="list" border="0" cellspacing="1" cellpadding="0" width="940">
<caption><?php echo $showing; ?></caption>
diff --git a/include/staff/staff.inc.php b/include/staff/staff.inc.php
index 39651227105158adcadf5283517589ff8dc52ce8..ab10d7d1955c090adeef4887c319045e7190265a 100644
--- a/include/staff/staff.inc.php
+++ b/include/staff/staff.inc.php
@@ -27,6 +27,7 @@ if($staff && $_REQUEST['a']!='add'){
$info=Format::htmlchars(($errors && $_POST)?$_POST:$info);
?>
<form action="staff.php?<?php echo $qstr; ?>" method="post" id="save" autocomplete="off">
+ <?php csrf_token(); ?>
<input type="hidden" name="do" value="<?php echo $action; ?>">
<input type="hidden" name="a" value="<?php echo Format::htmlchars($_REQUEST['a']); ?>">
<input type="hidden" name="id" value="<?php echo $info['id']; ?>">
diff --git a/include/staff/staffmembers.inc.php b/include/staff/staffmembers.inc.php
index b01e3387ff28da3e2f8e419b4e728293fe851254..d923815a0c876b8e5a4ff76d9b4ed96a12e90286 100644
--- a/include/staff/staffmembers.inc.php
+++ b/include/staff/staffmembers.inc.php
@@ -116,6 +116,7 @@ else
$showing='No staff found!';
?>
<form action="staff.php" method="POST" name="staff" onSubmit="return checkbox_checker(this,1,0);">
+ <?php csrf_token(); ?>
<input type="hidden" name="do" value="mass_process" >
<table class="list" border="0" cellspacing="1" cellpadding="0" width="940">
<caption><?php echo $showing; ?></caption>
diff --git a/include/staff/syslogs.inc.php b/include/staff/syslogs.inc.php
index 0799e98f8e7a78ad09fa1e2eb1260925be374ecc..ead5cf544932569261cecf166bfa0f152d309a76 100644
--- a/include/staff/syslogs.inc.php
+++ b/include/staff/syslogs.inc.php
@@ -105,6 +105,7 @@ else
</form>
</div>
<form action="logs.php" method="POST" name="logs" onSubmit="return checkbox_checker(this,1,0);">
+<?php csrf_token(); ?>
<input type="hidden" name="do" value="mass_process" >
<table class="list" border="0" cellspacing="1" cellpadding="0" width="940">
<caption><?php echo $showing; ?></caption>
diff --git a/include/staff/team.inc.php b/include/staff/team.inc.php
index 51b06ce2d1fa51344dbef35258a72cc68ddbf60b..f533bf12b85c7fa29b7435e0c037081a6a626378 100644
--- a/include/staff/team.inc.php
+++ b/include/staff/team.inc.php
@@ -21,6 +21,7 @@ if($team && $_REQUEST['a']!='add'){
$info=Format::htmlchars(($errors && $_POST)?$_POST:$info);
?>
<form action="teams.php?<?php echo $qstr; ?>" method="post" id="save">
+ <?php csrf_token(); ?>
<input type="hidden" name="do" value="<?php echo $action; ?>">
<input type="hidden" name="a" value="<?php echo Format::htmlchars($_REQUEST['a']); ?>">
<input type="hidden" name="id" value="<?php echo $info['id']; ?>">
diff --git a/include/staff/teams.inc.php b/include/staff/teams.inc.php
index ab3a2f58d4a88e94ea4d08653b853352d37be680..d9dcee5bbc0031e2707394932294f9e5b88e612b 100644
--- a/include/staff/teams.inc.php
+++ b/include/staff/teams.inc.php
@@ -45,6 +45,7 @@ else
<b><a href="teams.php?a=add" class="Icon newteam">Add New Team</a></b></div>
<div class="clear"></div>
<form action="teams.php" method="POST" name="teams" onSubmit="return checkbox_checker(this,1,0);">
+ <?php csrf_token(); ?>
<input type="hidden" name="do" value="mass_process" >
<table class="list" border="0" cellspacing="1" cellpadding="0" width="940">
<caption><?php echo $showing; ?></caption>
diff --git a/include/staff/template.inc.php b/include/staff/template.inc.php
index ac5c09a744879021e7286f116dc91e18a26df95f..aff5f8e3b780e46bd54bc23e0ded14694fe63e71 100644
--- a/include/staff/template.inc.php
+++ b/include/staff/template.inc.php
@@ -20,6 +20,7 @@ if($template && $_REQUEST['a']!='add'){
$info=Format::htmlchars(($errors && $_POST)?$_POST:$info);
?>
<form action="templates.php?<?php echo $qstr; ?>" method="post" id="save">
+ <?php csrf_token(); ?>
<input type="hidden" name="do" value="<?php echo $action; ?>">
<input type="hidden" name="a" value="<?php echo Format::htmlchars($_REQUEST['a']); ?>">
<input type="hidden" name="id" value="<?php echo $info['id']; ?>">
diff --git a/include/staff/templates.inc.php b/include/staff/templates.inc.php
index f60e3b010ec7efe053fd1a73df1cefe9366b9daa..dfdfb91c858d820b965867874282d76eeddab30c 100644
--- a/include/staff/templates.inc.php
+++ b/include/staff/templates.inc.php
@@ -49,6 +49,7 @@ else
<b><a href="templates.php?a=add" class="Icon newEmailTemplate">Add New Template</a></b></div>
<div class="clear"></div>
<form action="templates.php" method="POST" name="tpls" onSubmit="return checkbox_checker(this,1,0);">
+ <?php csrf_token(); ?>
<input type="hidden" name="do" value="mass_process" >
<table class="list" border="0" cellspacing="1" cellpadding="0" width="940">
<caption><?php echo $showing; ?></caption>
diff --git a/include/staff/ticket-edit.inc.php b/include/staff/ticket-edit.inc.php
index 7bbf0921e5ed97a076e0dc5df4aa61dde44e27fb..a0138118886857922da11f3a10bcb5d7bb1d1938 100644
--- a/include/staff/ticket-edit.inc.php
+++ b/include/staff/ticket-edit.inc.php
@@ -4,6 +4,7 @@ if(!defined('OSTSCPINC') || !$thisstaff || !$thisstaff->canEditTickets() || !$ti
$info=Format::htmlchars(($errors && $_POST)?$_POST:$ticket->getUpdateInfo());
?>
<form action="tickets.php?id=<?php echo $ticket->getId(); ?>&a=edit" method="post" id="save" enctype="multipart/form-data">
+ <?php csrf_token(); ?>
<input type="hidden" name="do" value="update">
<input type="hidden" name="a" value="edit">
<input type="hidden" name="id" value="<?php echo $ticket->getId(); ?>">
diff --git a/include/staff/ticket-open.inc.php b/include/staff/ticket-open.inc.php
index 680fbad151ba038104410a3a778f3371841d4ed1..a61c7bfcbd2396bfe5e20d6bc0f2abb827d4b009 100644
--- a/include/staff/ticket-open.inc.php
+++ b/include/staff/ticket-open.inc.php
@@ -4,6 +4,7 @@ $info=array();
$info=Format::htmlchars(($errors && $_POST)?$_POST:$info);
?>
<form action="tickets.php?a=open" method="post" id="save" enctype="multipart/form-data">
+ <?php csrf_token(); ?>
<input type="hidden" name="do" value="create">
<input type="hidden" name="a" value="open">
<h2>Open New Ticket</h2>
diff --git a/include/staff/ticket-view.inc.php b/include/staff/ticket-view.inc.php
index 281d2042074912267af746e38617f66c73b30c8b..633fe2f27d0eea17965c758b932c8650c7c9b768 100644
--- a/include/staff/ticket-view.inc.php
+++ b/include/staff/ticket-view.inc.php
@@ -288,6 +288,7 @@ if(!$cfg->showNotesInline()) { ?>
</ul>
<form id="reply" action="tickets.php?id=<?php echo $ticket->getId(); ?>#reply" name="reply" method="post" enctype="multipart/form-data">
+ <?php csrf_token(); ?>
<input type="hidden" name="id" value="<?php echo $ticket->getId(); ?>">
<input type="hidden" name="msgId" value="<?php echo $msgId; ?>">
<input type="hidden" name="a" value="reply">
@@ -398,6 +399,7 @@ if(!$cfg->showNotesInline()) { ?>
</p>
</form>
<form id="note" action="tickets.php?id=<?php echo $ticket->getId(); ?>#note" name="note" method="post" enctype="multipart/form-data">
+ <?php csrf_token(); ?>
<input type="hidden" name="id" value="<?php echo $ticket->getId(); ?>">
<input type="hidden" name="a" value="postnote">
<table border="0" cellspacing="0" cellpadding="3">
@@ -486,6 +488,7 @@ if(!$cfg->showNotesInline()) { ?>
<?php
if($thisstaff->canTransferTickets()) { ?>
<form id="transfer" action="tickets.php?id=<?php echo $ticket->getId(); ?>#transfer" name="transfer" method="post" enctype="multipart/form-data">
+ <?php csrf_token(); ?>
<input type="hidden" name="ticket_id" value="<?php echo $ticket->getId(); ?>">
<input type="hidden" name="a" value="transfer">
<table border="0" cellspacing="0" cellpadding="3">
@@ -534,6 +537,7 @@ if(!$cfg->showNotesInline()) { ?>
<?php
if($thisstaff->canAssignTickets()) { ?>
<form id="assign" action="tickets.php?id=<?php echo $ticket->getId(); ?>#assign" name="assign" method="post" enctype="multipart/form-data">
+ <?php csrf_token(); ?>
<input type="hidden" name="id" value="<?php echo $ticket->getId(); ?>">
<input type="hidden" name="a" value="assign">
<table border="0" cellspacing="0" cellpadding="3">
@@ -610,6 +614,7 @@ if(!$cfg->showNotesInline()) { ?>
<a class="close" href="">×</a>
<hr/>
<form action="tickets.php?id=<?php echo $ticket->getId(); ?>" method="post" id="print-form" name="print-form">
+ <?php csrf_token(); ?>
<input type="hidden" name="a" value="print">
<input type="hidden" name="id" value="<?php echo $ticket->getId(); ?>">
<fieldset class="notes">
diff --git a/include/staff/tickets.inc.php b/include/staff/tickets.inc.php
index 8397a4988d504f7394afa6a6ba0a05da7584eb16..cbe8a6a982c22ee6c5c2ecfc2427164f9254e65d 100644
--- a/include/staff/tickets.inc.php
+++ b/include/staff/tickets.inc.php
@@ -270,6 +270,7 @@ $negorder=$order=='DESC'?'ASC':'DESC'; //Negate the sorting..
<!-- SEARCH FORM START -->
<div id='basic_search'>
<form action="tickets.php" method="get">
+ <?php csrf_token(); ?>
<input type="hidden" name="a" value="search">
<table>
<tr>
@@ -285,6 +286,7 @@ $negorder=$order=='DESC'?'ASC':'DESC'; //Negate the sorting..
<div class="clear"></div>
<div style="margin-bottom:20px">
<form action="tickets.php" method="POST" name='tickets' onSubmit="return checkbox_checker(this,1,0);">
+<?php csrf_token(); ?>
<a class="refresh" href="<?php echo $_SERVER['REQUEST_URI']; ?>">Refresh</a>
<input type="hidden" name="a" value="mass_process" >
<input type="hidden" name="status" value="<?php echo $status; ?>" >
diff --git a/include/staff/topic.inc.php b/include/staff/topic.inc.php
deleted file mode 100644
index f0f895409d99ebd2c39c4013572b1ee455887090..0000000000000000000000000000000000000000
--- a/include/staff/topic.inc.php
+++ /dev/null
@@ -1,80 +0,0 @@
-<?php
-if(!defined('OSTADMININC') || !$thisstaff->isAdmin()) die('Access Denied');
-
-$info=($_POST && $errors)?Format::input($_POST):array(); //Re-use the post info on error...savekeyboards.org
-if($topic && $_REQUEST['a']!='new'){
- $title='Edit Topic';
- $action='update';
- $info=$info?$info:$topic->getInfo();
-}else {
- $title='New Help Topic';
- $action='create';
- $info['isactive']=isset($info['isactive'])?$info['isactive']:1;
-}
-//get the goodies.
-$depts= db_query('SELECT dept_id,dept_name FROM '.DEPT_TABLE);
-$priorities= db_query('SELECT priority_id,priority_desc FROM '.TICKET_PRIORITY_TABLE);
-?>
-<form action="admin.php?t=topics" method="post">
- <input type="hidden" name="do" value="<?php echo $action; ?>">
- <input type="hidden" name="a" value="<?php echo Format::htmlchars($_REQUEST['a']); ?>">
- <input type='hidden' name='t' value='topics'>
- <input type="hidden" name="topic_id" value="<?php echo $info['topic_id']; ?>">
-<table width="100%" border="0" cellspacing=0 cellpadding=2 class="tform">
- <tr class="header"><td colspan=2><?php echo $title; ?></td></tr>
- <tr class="subheader">
- <td colspan=2 >Disabling auto response will overwrite dept settings.</td>
- </tr>
- <tr>
- <th width="20%">Help Topic:</th>
- <td><input type="text" name="topic" size="55" value="<?php echo $info['topic']; ?>">
- <font class="error">* <?php echo $errors['topic']; ?></font></td>
- </tr>
- <tr><th>Topic Status</th>
- <td>
- <input type="radio" name="isactive" value="1" <?php echo $info['isactive']?'checked':''; ?> />Active
- <input type="radio" name="isactive" value="0" <?php echo !$info['isactive']?'checked':''; ?> />Disabled
- </td>
- </tr>
- <tr>
- <th nowrap>Auto Response:</th>
- <td>
- <input type="checkbox" name="noautoresp" value=1 <?php echo $info['noautoresp']? 'checked': ''; ?> >
- <b>Disable</b> autoresponse for this topic. (<i>Overwrite Dept setting</i>)
- </td>
- </tr>
- <tr>
- <th>New Ticket Priority:</th>
- <td>
- <select name="priority_id">
- <option value=0>Select Priority</option>
- <?php
- while (list($id,$name) = db_fetch_row($priorities)){
- $selected = ($info['priority_id']==$id)?'selected':''; ?>
- <option value="<?php echo $id; ?>"<?php echo $selected; ?>><?php echo $name; ?></option>
- <?php
- } ?>
- </select> <font class="error">* <?php echo $errors['priority_id']; ?></font>
- </td>
- </tr>
- <tr>
- <th nowrap>New Ticket Department:</th>
- <td>
- <select name="dept_id">
- <option value=0>Select Department</option>
- <?php
- while (list($id,$name) = db_fetch_row($depts)){
- $selected = ($info['dept_id']==$id)?'selected':''; ?>
- <option value="<?php echo $id; ?>"<?php echo $selected; ?>><?php echo $name; ?> Dept</option>
- <?php
- } ?>
- </select> <font class="error">* <?php echo $errors['dept_id']; ?></font>
- </td>
- </tr>
-</table>
-<div style="padding-left:220px;">
- <input class="button" type="submit" name="submit" value="Submit">
- <input class="button" type="reset" name="reset" value="Reset">
- <input class="button" type="button" name="cancel" value="Cancel" onClick='window.location.href="admin.php?t=topics"'>
-</div>
-</form>
diff --git a/include/upgrader/prereq.inc.php b/include/upgrader/prereq.inc.php
index 814c76fff32403b227efbf26bcf490f757dc8d83..d32fc328fbe3dd51759ddbaee6f58ac25d862aa2 100644
--- a/include/upgrader/prereq.inc.php
+++ b/include/upgrader/prereq.inc.php
@@ -27,6 +27,7 @@ if(!defined('OSTSCPINC') || !$thisstaff || !$thisstaff->isAdmin()) die('Access D
</ul>
<div id="bar">
<form method="post" action="upgrade.php" id="prereq">
+ <?php csrf_token(); ?>
<input type="hidden" name="s" value="prereq">
<input class="btn" type="submit" name="submit" value="Start Upgrade Now »">
</form>
diff --git a/include/upgrader/rename.inc.php b/include/upgrader/rename.inc.php
index 6d449567f247902466e73878d752949b97f52c0c..0b649bfa0a3dc1902e0aad168573719eab905bde 100644
--- a/include/upgrader/rename.inc.php
+++ b/include/upgrader/rename.inc.php
@@ -18,6 +18,7 @@ if(!defined('OSTSCPINC') || !$thisstaff || !$thisstaff->isAdmin()) die('Access D
<p>Please refer to the <a target="_blank" href="http://osticket.com/wiki/Upgrade_and_Migration">Upgrade Guide</a> for more information.</p>
<div id="bar">
<form method="post" action="upgrade.php">
+ <?php csrf_token(); ?>
<input type="hidden" name="s" value="prereq">
<input class="btn" type="submit" name="submit" value="Continue »">
</form>
diff --git a/include/upgrader/upgrade.inc.php b/include/upgrader/upgrade.inc.php
index 9e95af3ff030e87d3f1af20881f44b842fc7c769..7c8a8aae47e692d9337a51c46a46f2114c4a2848 100644
--- a/include/upgrader/upgrade.inc.php
+++ b/include/upgrader/upgrade.inc.php
@@ -18,6 +18,7 @@ $action=$upgrader->getNextAction();
</ul>
<div id="bar">
<form method="post" action="upgrade.php" id="upgrade">
+ <?php csrf_token(); ?>
<input type="hidden" name="s" value="upgrade">
<input type="hidden" name="sh" value="<?php echo $upgrader->getSchemaSignature(); ?>">
<input class="btn" type="submit" name="submit" value="Do It Now!">
diff --git a/scp/ajax.php b/scp/ajax.php
index 5fab761d2fa598ed050f1758b89986b7607bad09..8ffa515402f907b6525b1f74786bf6e1a0378c98 100644
--- a/scp/ajax.php
+++ b/scp/ajax.php
@@ -55,7 +55,7 @@ $dispatcher = patterns('',
url_get('^/users$', array('ajax.users.php:UsersAjaxAPI', 'search')),
url('^/tickets/', patterns('ajax.tickets.php:TicketsAjaxAPI',
url_get('^(?P<tid>\d+)/preview', 'previewTicket'),
- url_get('^(?P<tid>\d+)/lock', 'acquireLock'),
+ url_post('^(?P<tid>\d+)/lock', 'acquireLock'),
url_post('^(?P<tid>\d+)/lock/(?P<id>\d+)/renew', 'renewLock'),
url_post('^(?P<tid>\d+)/lock/(?P<id>\d+)/release', 'releaseLock'),
url_get('^lookup', 'lookup'),
diff --git a/scp/apikeys.php b/scp/apikeys.php
index ece24444537c8243a91779e59704314a672efe65..e393a31c5f2bea0647a238240ba5e9021ad3c9ab 100644
--- a/scp/apikeys.php
+++ b/scp/apikeys.php
@@ -45,7 +45,8 @@ if($_POST){
}else{
$count=count($_POST['ids']);
if($_POST['enable']){
- $sql='UPDATE '.API_KEY_TABLE.' SET isactive=1 WHERE id IN ('.implode(',',$_POST['ids']).')';
+ $sql='UPDATE '.API_KEY_TABLE.' SET isactive=1 WHERE id IN ('.
+ implode(',', db_input($_POST['ids'])).')';
if(db_query($sql) && ($num=db_affected_rows())){
if($num==$count)
$msg='Selected API keys enabled';
@@ -55,7 +56,8 @@ if($_POST){
$errors['err']='Unable to enable selected API keys.';
}
}elseif($_POST['disable']){
- $sql='UPDATE '.API_KEY_TABLE.' SET isactive=0 WHERE id IN ('.implode(',',$_POST['ids']).')';
+ $sql='UPDATE '.API_KEY_TABLE.' SET isactive=0 WHERE id IN ('.
+ implode(',', db_input($_POST['ids'])).')';
if(db_query($sql) && ($num=db_affected_rows())) {
if($num==$count)
$msg='Selected API keys disabled';
diff --git a/scp/banlist.php b/scp/banlist.php
index b56d05c6d07b28b2536127abe9a5b3be6330cb69..081fde9b4ed0cd18713cab78e795c2e0eaf1df1b 100644
--- a/scp/banlist.php
+++ b/scp/banlist.php
@@ -68,8 +68,10 @@ if($_POST && !$errors && $filter){
}else{
$count=count($_POST['ids']);
if($_POST['enable']){
- $sql='UPDATE '.EMAIL_FILTER_RULE_TABLE.' SET isactive=1 WHERE filter_id='.db_input($filter->getId()).
- ' AND id IN ('.implode(',',$_POST['ids']).')';
+ $sql='UPDATE '.EMAIL_FILTER_RULE_TABLE.' SET isactive=1 WHERE filter_id='.
+ db_input($filter->getId()).
+ ' AND id IN ('.
+ implode(',', db_input($_POST['ids'])).')';
if(db_query($sql) && ($num=db_affected_rows())){
if($num==$count)
$msg='Selected emails ban status set to enabled';
@@ -79,8 +81,10 @@ if($_POST && !$errors && $filter){
$errors['err']='Unable to enable selected emails';
}
}elseif($_POST['disable']){
- $sql='UPDATE '.EMAIL_FILTER_RULE_TABLE.' SET isactive=0 WHERE filter_id='.db_input($filter->getId()).
- ' AND id IN ('.implode(',',$_POST['ids']).')';
+ $sql='UPDATE '.EMAIL_FILTER_RULE_TABLE.' SET isactive=0 WHERE filter_id='.
+ db_input($filter->getId()).
+ ' AND id IN ('.
+ implode(',', db_input($_POST['ids'])).')';
if(db_query($sql) && ($num=db_affected_rows())) {
if($num==$count)
$msg='Selected emails ban status set to disabled';
diff --git a/scp/canned.php b/scp/canned.php
index cb6da802e404396d561ba306eb4972da3ec2249a..2a2252233627510e35f0f12da6f9c916751c8143 100644
--- a/scp/canned.php
+++ b/scp/canned.php
@@ -71,7 +71,8 @@ if($_POST && $thisstaff->canManageCannedResponses()) {
} else {
$count=count($_POST['ids']);
if($_POST['enable']) {
- $sql='UPDATE '.CANNED_TABLE.' SET isenabled=1 WHERE canned_id IN ('.implode(',',$_POST['ids']).')';
+ $sql='UPDATE '.CANNED_TABLE.' SET isenabled=1 WHERE canned_id IN ('.
+ implode(',', db_input($_POST['ids'])).')';
if(db_query($sql) && ($num=db_affected_rows())) {
if($num==$count)
$msg='Selected canned replies enabled';
@@ -81,7 +82,8 @@ if($_POST && $thisstaff->canManageCannedResponses()) {
$errors['err']='Unable to enable selected canned replies.';
}
} elseif($_POST['disable']) {
- $sql='UPDATE '.CANNED_TABLE.' SET isenabled=0 WHERE canned_id IN ('.implode(',',$_POST['ids']).')';
+ $sql='UPDATE '.CANNED_TABLE.' SET isenabled=0 WHERE canned_id IN ('.
+ implode(',', db_input($_POST['ids'])).')';
if(db_query($sql) && ($num=db_affected_rows())) {
if($num==$count)
$msg='Selected canned replies disabled';
diff --git a/scp/categories.php b/scp/categories.php
index 787b81b5f2bb50d4aa63cdb7a15b8f3adf52af27..6b645fc847737e335feb0c474d868b819f8c7c2d 100644
--- a/scp/categories.php
+++ b/scp/categories.php
@@ -52,7 +52,8 @@ if($_POST){
} else {
$count=count($_POST['ids']);
if($_POST['public']) {
- $sql='UPDATE '.FAQ_CATEGORY_TABLE.' SET ispublic=1 WHERE category_id IN ('.implode(',',$_POST['ids']).')';
+ $sql='UPDATE '.FAQ_CATEGORY_TABLE.' SET ispublic=1 WHERE category_id IN ('.
+ implode(',', db_input($_POST['ids'])).')';
if(db_query($sql) && ($num=db_affected_rows())) {
if($num==$count)
$msg='Selected categories made PUBLIC';
@@ -62,7 +63,8 @@ if($_POST){
$errors['err']='Unable to enable selected categories public.';
}
} elseif($_POST['private']) {
- $sql='UPDATE '.FAQ_CATEGORY_TABLE.' SET ispublic=0 WHERE category_id IN ('.implode(',',$_POST['ids']).')';
+ $sql='UPDATE '.FAQ_CATEGORY_TABLE.' SET ispublic=0 WHERE category_id IN ('.
+ implode(',', db_input($_POST['ids'])).')';
if(db_query($sql) && ($num=db_affected_rows())) {
if($num==$count)
$msg='Selected categories made PRIVATE';
diff --git a/scp/departments.php b/scp/departments.php
index d0869cdf7302cafc8fb8fff071b28291833e4120..ef1acb12d62adcaa3c6285a210e7aa9d3f57fc29 100644
--- a/scp/departments.php
+++ b/scp/departments.php
@@ -45,7 +45,8 @@ if($_POST){
}else{
$count=count($_POST['ids']);
if($_POST['public']){
- $sql='UPDATE '.DEPT_TABLE.' SET ispublic=1 WHERE dept_id IN ('.implode(',',$_POST['ids']).')';
+ $sql='UPDATE '.DEPT_TABLE.' SET ispublic=1 WHERE dept_id IN ('
+ .implode(',', db_input($_POST['ids'])).')';
if(db_query($sql) && ($num=db_affected_rows())){
if($num==$count)
$msg='Selected departments made public';
@@ -56,7 +57,9 @@ if($_POST){
}
}elseif($_POST['private']){
$sql='UPDATE '.DEPT_TABLE.' SET ispublic=0 '.
- 'WHERE dept_id IN ('.implode(',',$_POST['ids']).') AND dept_id!='.db_input($cfg->getDefaultDeptId());
+ 'WHERE dept_id IN ('
+ .implode(',', db_input($_POST['ids']))
+ .') AND dept_id!='.db_input($cfg->getDefaultDeptId());
if(db_query($sql) && ($num=db_affected_rows())) {
if($num==$count)
$msg='Selected departments made private';
@@ -68,7 +71,8 @@ if($_POST){
}elseif($_POST['delete']){
//Deny all deletes if one of the selections has members in it.
- $sql='SELECT count(staff_id) FROM '.STAFF_TABLE.' WHERE dept_id IN ('.implode(',',$_POST['ids']).')';
+ $sql='SELECT count(staff_id) FROM '.STAFF_TABLE.' WHERE dept_id IN ('
+ .implode(',', db_input($_POST['ids'])).')';
list($members)=db_fetch_row(db_query($sql));
if($members)
$errors['err']='Dept. with users can not be deleted. Move staff first.';
diff --git a/scp/emails.php b/scp/emails.php
index ddc626fb36dc9265b41835a95dbc6bf7c676e96b..b0d32bb59bf9d415275aaada58c96cf3df892629 100644
--- a/scp/emails.php
+++ b/scp/emails.php
@@ -46,7 +46,10 @@ if($_POST){
$count=count($_POST['ids']);
$sql='SELECT count(dept_id) FROM '.DEPT_TABLE.' dept '.
- 'WHERE email_id IN ('.implode(',',$_POST['ids']).') OR autoresp_email_id IN ('.implode(',',$_POST['ids']).')';
+ 'WHERE email_id IN ('.
+ implode(',', db_input($_POST['ids'])).
+ ') OR autoresp_email_id IN ('.
+ implode(',', db_input($_POST['ids'])).')';
list($depts)=db_fetch_row(db_query($sql));
if($depts>0){
$errors['err']='One or more of the selected emails is being used by a department. Remove association first!';
diff --git a/scp/emailtest.php b/scp/emailtest.php
index 9f9b2decb0a3b5e4cde81b3b4ca1ce4ec853a0f5..0ca1d7308cc8c62f0f9852a57f45d4e8802e805a 100644
--- a/scp/emailtest.php
+++ b/scp/emailtest.php
@@ -15,6 +15,7 @@
**********************************************************************/
require('admin.inc.php');
include_once(INCLUDE_DIR.'class.email.php');
+include_once(INCLUDE_DIR.'class.csrf.php');
$info=array();
$info['subj']='osTicket test email';
@@ -47,6 +48,7 @@ $nav->setTabActive('emails');
require(STAFFINC_DIR.'header.inc.php');
?>
<form action="emailtest.php" method="post" id="emailtest">
+ <?php csrf_token(); ?>
<input type="hidden" name="do" value="<?php echo $action; ?>">
<h2>Test Outgoing Email</h2>
<table class="form_table" width="940" border="0" cellspacing="0" cellpadding="2">
diff --git a/scp/filters.php b/scp/filters.php
index fbbf923a9c8052db8f12e3eeb6056a9d8b29a4f8..4ce0f30765f5192617f22345c00571f26d206af2 100644
--- a/scp/filters.php
+++ b/scp/filters.php
@@ -49,7 +49,8 @@ if($_POST){
}else{
$count=count($_POST['ids']);
if($_POST['enable']){
- $sql='UPDATE '.EMAIL_FILTER_TABLE.' SET isactive=1 WHERE id IN ('.implode(',',$_POST['ids']).')';
+ $sql='UPDATE '.EMAIL_FILTER_TABLE.' SET isactive=1 WHERE id IN ('.
+ implode(',', db_input($_POST['ids'])).')';
if(db_query($sql) && ($num=db_affected_rows())){
if($num==$count)
$msg='Selected filters enabled';
@@ -59,7 +60,8 @@ if($_POST){
$errors['err']='Unable to enable selected filters';
}
}elseif($_POST['disable']){
- $sql='UPDATE '.EMAIL_FILTER_TABLE.' SET isactive=0 WHERE id IN ('.implode(',',$_POST['ids']).')';
+ $sql='UPDATE '.EMAIL_FILTER_TABLE.' SET isactive=0 WHERE id IN ('.
+ implode(',', db_input($_POST['ids'])).')';
if(db_query($sql) && ($num=db_affected_rows())) {
if($num==$count)
$msg='Selected filters disabled';
diff --git a/scp/groups.php b/scp/groups.php
index 4a0b9f157960398ddb9bfc8683629af39a83d3a6..22b1bae0acb36959fff05ec3f75323a691053920 100644
--- a/scp/groups.php
+++ b/scp/groups.php
@@ -43,7 +43,8 @@ if($_POST){
}else{
$count=count($_POST['ids']);
if($_POST['enable']){
- $sql='UPDATE '.GROUP_TABLE.' SET group_enabled=1, updated=NOW() WHERE group_id IN ('.implode(',',$_POST['ids']).')';
+ $sql='UPDATE '.GROUP_TABLE.' SET group_enabled=1, updated=NOW() WHERE group_id IN ('.
+ implode(',', db_input($_POST['ids'])).')';
if(db_query($sql) && ($num=db_affected_rows())){
if($num==$count)
$msg='Selected groups activated';
@@ -53,7 +54,8 @@ if($_POST){
$errors['err']='Unable to activate selected groups';
}
}elseif($_POST['disable']){
- $sql='UPDATE '.GROUP_TABLE.' SET group_enabled=0, updated=NOW() WHERE group_id IN ('.implode(',',$_POST['ids']).')';
+ $sql='UPDATE '.GROUP_TABLE.' SET group_enabled=0, updated=NOW() WHERE group_id IN ('.
+ implode(',', db_input($_POST['ids'])).')';
if(db_query($sql) && ($num=db_affected_rows())) {
if($num==$count)
$msg='Selected groups disabled';
diff --git a/scp/helptopics.php b/scp/helptopics.php
index 18c34393e9b89a67c91661b516f0f045273d34da..5bd1ded7048f26307f2cd18d09d6b3a946f13f65 100644
--- a/scp/helptopics.php
+++ b/scp/helptopics.php
@@ -45,7 +45,8 @@ if($_POST){
}else{
$count=count($_POST['ids']);
if($_POST['enable']){
- $sql='UPDATE '.TOPIC_TABLE.' SET isactive=1 WHERE topic_id IN ('.implode(',',$_POST['ids']).')';
+ $sql='UPDATE '.TOPIC_TABLE.' SET isactive=1 WHERE topic_id IN ('.
+ implode(',', db_input($_POST['ids'])).')';
if(db_query($sql) && ($num=db_affected_rows())){
if($num==$count)
$msg='Selected help topics enabled';
@@ -55,7 +56,8 @@ if($_POST){
$errors['err']='Unable to enable selected help topics.';
}
}elseif($_POST['disable']){
- $sql='UPDATE '.TOPIC_TABLE.' SET isactive=0 WHERE topic_id IN ('.implode(',',$_POST['ids']).')';
+ $sql='UPDATE '.TOPIC_TABLE.' SET isactive=0 WHERE topic_id IN ('.
+ implode(',', db_input($_POST['ids'])).')';
if(db_query($sql) && ($num=db_affected_rows())) {
if($num==$count)
$msg='Selected help topics disabled';
diff --git a/scp/js/scp.js b/scp/js/scp.js
index f5db29a936089b72c2d91066c645de3db3af750a..c46c624d49ca97127b9bca3485c6dd313c53497b 100644
--- a/scp/js/scp.js
+++ b/scp/js/scp.js
@@ -173,7 +173,34 @@ $(document).ready(function(){
- /* global inits */
+ /************ global inits *****************/
+
+ //Add CSRF token to the ajax requests.
+ // Many thanks to https://docs.djangoproject.com/en/dev/ref/contrib/csrf/ + jared.
+ $(document).ajaxSend(function(event, xhr, settings) {
+
+ function sameOrigin(url) {
+ // url could be relative or scheme relative or absolute
+ var host = document.location.host; // host + port
+ var protocol = document.location.protocol;
+ var sr_origin = '//' + host;
+ var origin = protocol + sr_origin;
+ // Allow absolute or scheme relative URLs to same origin
+ return (url == origin || url.slice(0, origin.length + 1) == origin + '/') ||
+ (url == sr_origin || url.slice(0, sr_origin.length + 1) == sr_origin + '/') ||
+ // or any other URL that isn't scheme relative or absolute i.e
+ // relative.
+ !(/^(\/\/|http:|https:).*/.test(url));
+ }
+
+ function safeMethod(method) {
+ return (/^(GET|HEAD|OPTIONS|TRACE)$/.test(method));
+ }
+ if (!safeMethod(settings.type) && sameOrigin(settings.url)) {
+ xhr.setRequestHeader("X-CSRFToken", $("meta[name=csrf_token]").attr("content"));
+ }
+
+ });
/* Get config settings from the backend */
$.get('ajax.php/config/ui.json',
@@ -323,5 +350,4 @@ $(document).ready(function(){
$('.buttons', elem).show();
});
});
-
});
diff --git a/scp/js/ticket.js b/scp/js/ticket.js
index 6dab24ded5534fed9777b7fa62fac42c3f119e51..2913c225cf0579f3587442831a135bb3464b53f8 100644
--- a/scp/js/ticket.js
+++ b/scp/js/ticket.js
@@ -152,7 +152,7 @@ var autoLock = {
autoLock.renewLock(e);
} else {
$.ajax({
- type: "GET",
+ type: "POST",
url: 'ajax.php/tickets/'+autoLock.tid+'/lock',
dataType: 'json',
cache: false,
diff --git a/scp/login.php b/scp/login.php
index c96e5ad5671e261d97a4b37f0c9fdb7f47896661..6a28e0f45130f26f733f8eca82066565f5e2d9dc 100644
--- a/scp/login.php
+++ b/scp/login.php
@@ -17,6 +17,7 @@ require_once('../main.inc.php');
if(!defined('INCLUDE_DIR')) die('Fatal Error. Kwaheri!');
require_once(INCLUDE_DIR.'class.staff.php');
+require_once(INCLUDE_DIR.'class.csrf.php');
$msg=$_SESSION['_staff']['auth']['msg'];
$msg=$msg?$msg:'Authentication Required';
diff --git a/scp/logout.php b/scp/logout.php
index f167d5a876082b0628f1e64929626444f28a3bb0..8f3b980d5e86f65d2569ade250f3437b38c072bf 100644
--- a/scp/logout.php
+++ b/scp/logout.php
@@ -15,6 +15,10 @@
vim: expandtab sw=4 ts=4 sts=4:
**********************************************************************/
require('staff.inc.php');
+//CSRF Check: Make sure the user actually clicked on the link to logout.
+if(!$_GET['auth'] || $_GET['auth']!=md5($ost->getCSRFToken().SECRET_SALT.session_id()))
+ @header('Location: index.php');
+
$ost->logDebug('Staff logout',
sprintf("%s logged out [%s]",
$thisstaff->getUserName(), $_SERVER['REMOTE_ADDR'])); //Debug.
diff --git a/scp/logs.php b/scp/logs.php
index 79df35aed6c944499b5c49b72748943a110e115e..e29ef3702a50cd8949cc355b99b5a12dcb0ceadd 100644
--- a/scp/logs.php
+++ b/scp/logs.php
@@ -23,7 +23,8 @@ if($_POST){
}else{
$count=count($_POST['ids']);
if($_POST['delete']){
- $sql='DELETE FROM '.SYSLOG_TABLE.' WHERE log_id IN ('.implode(',',$_POST['ids']).')';
+ $sql='DELETE FROM '.SYSLOG_TABLE.' WHERE log_id IN ('
+ .implode(',', db_input($_POST['ids'])).')';
if(db_query($sql) && ($num=db_affected_rows())){
if($num==$count)
$msg='Selected logs deleted successfully';
diff --git a/scp/slas.php b/scp/slas.php
index c67a4d8cd007f7811b3aead54d67280388c33ed5..8f3b0f75ca331381beb6a348f46c2a703853b229 100644
--- a/scp/slas.php
+++ b/scp/slas.php
@@ -45,7 +45,8 @@ if($_POST){
}else{
$count=count($_POST['ids']);
if($_POST['enable']){
- $sql='UPDATE '.SLA_TABLE.' SET isactive=1 WHERE id IN ('.implode(',',$_POST['ids']).')';
+ $sql='UPDATE '.SLA_TABLE.' SET isactive=1 WHERE id IN ('.
+ implode(',', db_input($_POST['ids'])).')';
if(db_query($sql) && ($num=db_affected_rows())){
if($num==$count)
$msg='Selected SLA plans enabled';
@@ -55,7 +56,8 @@ if($_POST){
$errors['err']='Unable to enable selected SLA plans.';
}
}elseif($_POST['disable']){
- $sql='UPDATE '.SLA_TABLE.' SET isactive=0 WHERE id IN ('.implode(',',$_POST['ids']).')';
+ $sql='UPDATE '.SLA_TABLE.' SET isactive=0 WHERE id IN ('.
+ implode(',', db_input($_POST['ids'])).')';
if(db_query($sql) && ($num=db_affected_rows())) {
if($num==$count)
$msg='Selected SLA plans disabled';
diff --git a/scp/staff.inc.php b/scp/staff.inc.php
index a7d4b5db29f1e895b6cd006a116850e46501a43d..5dcf6045042397c1ee806a8df9f0f2b0f28725a3 100644
--- a/scp/staff.inc.php
+++ b/scp/staff.inc.php
@@ -39,6 +39,7 @@ define('KB_PREMADE_TABLE',TABLE_PREFIX.'kb_premade');
require_once(INCLUDE_DIR.'class.staff.php');
require_once(INCLUDE_DIR.'class.group.php');
require_once(INCLUDE_DIR.'class.nav.php');
+require_once(INCLUDE_DIR.'class.csrf.php');
/* First order of the day is see if the user is logged in and with a valid session.
* User must be valid staff beyond this point
@@ -80,6 +81,16 @@ if(!$thisstaff->isAdmin()) {
//Keep the session activity alive
$thisstaff->refreshSession();
+/******* CSRF Protectin *************/
+// Enforce CSRF protection for POSTS
+if ($_POST && !$ost->checkCSRFToken()) {
+ Http::response(400, 'Valid CSRF Token Required');
+ exit;
+}
+
+//Add token to the header - used on ajax calls [DO NOT CHANGE THE NAME]
+$ost->addExtraHeader('<meta name="csrf_token" content="'.$ost->getCSRFToken().'" />');
+
/******* SET STAFF DEFAULTS **********/
//Set staff's timezone offset.
$_SESSION['TZ_OFFSET']=$thisstaff->getTZoffset();
diff --git a/scp/staff.php b/scp/staff.php
index 863a348c9f37f547f5a8b57ddf0f162cc5257b1f..88c8949f9908542067bf0ebc03e64781c5ce0b08 100644
--- a/scp/staff.php
+++ b/scp/staff.php
@@ -45,7 +45,8 @@ if($_POST){
}else{
$count=count($_POST['ids']);
if($_POST['enable']){
- $sql='UPDATE '.STAFF_TABLE.' SET isactive=1 WHERE staff_id IN ('.implode(',',$_POST['ids']).')';
+ $sql='UPDATE '.STAFF_TABLE.' SET isactive=1 WHERE staff_id IN ('.
+ implode(',', db_input($_POST['ids'])).')';
if(db_query($sql) && ($num=db_affected_rows())){
if($num==$count)
$msg='Selected staff activated';
diff --git a/scp/teams.php b/scp/teams.php
index c579372197995e4fd3811eddf338d457817aadb0..50d7ca1cae022dd328189b9d8ffdaaad1727c533 100644
--- a/scp/teams.php
+++ b/scp/teams.php
@@ -43,7 +43,8 @@ if($_POST){
}else{
$count=count($_POST['ids']);
if($_POST['enable']){
- $sql='UPDATE '.TEAM_TABLE.' SET isenabled=1 WHERE team_id IN ('.implode(',',$_POST['ids']).')';
+ $sql='UPDATE '.TEAM_TABLE.' SET isenabled=1 WHERE team_id IN ('.
+ implode(',', db_input($_POST['ids'])).')';
if(db_query($sql) && ($num=db_affected_rows())){
if($num==$count)
$msg='Selected teams activated';
@@ -53,7 +54,8 @@ if($_POST){
$errors['err']='Unable to activate selected teams';
}
}elseif($_POST['disable']){
- $sql='UPDATE '.TEAM_TABLE.' SET isenabled=0 WHERE team_id IN ('.implode(',',$_POST['ids']).')';
+ $sql='UPDATE '.TEAM_TABLE.' SET isenabled=0 WHERE team_id IN ('.
+ implode(',', db_input($_POST['ids'])).')';
if(db_query($sql) && ($num=db_affected_rows())) {
if($num==$count)
$msg='Selected teams disabled';
diff --git a/scp/templates.php b/scp/templates.php
index 47e24dd6e4a4d06d6e35cf8d0ccae290b99dbd24..4ba95d70a8a707422bf011781b6df9ab292a5f9f 100644
--- a/scp/templates.php
+++ b/scp/templates.php
@@ -54,7 +54,8 @@ if($_POST){
}else{
$count=count($_POST['ids']);
if($_POST['enable']){
- $sql='UPDATE '.EMAIL_TEMPLATE_TABLE.' SET isactive=1 WHERE tpl_id IN ('.implode(',',$_POST['ids']).')';
+ $sql='UPDATE '.EMAIL_TEMPLATE_TABLE.' SET isactive=1 WHERE tpl_id IN ('.
+ implode(',', db_input($_POST['ids'])).')';
if(db_query($sql) && ($num=db_affected_rows())){
if($num==$count)
$msg='Selected templates enabled';