From 01f66f5d8ce17940c1df1f6b0d694a1c8ecbda8a Mon Sep 17 00:00:00 2001
From: samerton <samerton@users.noreply.github.com>
Date: Sat, 28 Aug 2021 16:49:32 +0100
Subject: [PATCH] Convert leave private message to post request #2033

---
 .../DefaultRevamp/user/view_message.tpl        | 18 +++++++++++++++++-
 modules/Core/pages/user/messaging.php          |  6 ++++--
 2 files changed, 21 insertions(+), 3 deletions(-)

diff --git a/custom/templates/DefaultRevamp/user/view_message.tpl b/custom/templates/DefaultRevamp/user/view_message.tpl
index 63d655c302..52f85b1182 100755
--- a/custom/templates/DefaultRevamp/user/view_message.tpl
+++ b/custom/templates/DefaultRevamp/user/view_message.tpl
@@ -40,7 +40,7 @@
       {$PAGINATION}
       <div class="res right floated">
         <a class="ui small primary button" href="{$BACK_LINK}">{$BACK}</a>
-        <a class="ui small negative button" href="{$LEAVE_CONVERSATION_LINK}" onclick="return confirm('{$CONFIRM_LEAVE}');">{$LEAVE_CONVERSATION}</a>
+        <button class="ui small negative button" type="button" data-toggle="modal" data-target="#modal-leave">{$LEAVE_CONVERSATION}</button>
       </div>
       {foreach from=$MESSAGES item=message}
         <div class="ui fluid card" id="message">
@@ -79,4 +79,20 @@
   </div>
 </div>
 
+<div class="ui small modal" id="modal-leave">
+  <div class="header">
+    {$LEAVE_CONVERSATION}
+  </div>
+  <div class="content">
+    {$CONFIRM_LEAVE}
+    <form action="{$LEAVE_CONVERSATION_LINK}" method="post" id="leave-form">
+      <input type="hidden" name="token" value="{$TOKEN}">
+    </form>
+  </div>
+  <div class="actions">
+    <a class="ui negative button">{$NO}</a>
+    <a class="ui positive button" onclick="$('#leave-form').submit();">{$YES}</a>
+  </div>
+</div>
+
 {include file='footer.tpl'}
\ No newline at end of file
diff --git a/modules/Core/pages/user/messaging.php b/modules/Core/pages/user/messaging.php
index 0f0b05eaef..5240ba4489 100644
--- a/modules/Core/pages/user/messaging.php
+++ b/modules/Core/pages/user/messaging.php
@@ -561,7 +561,9 @@
             'NEW_REPLY' => $language->get('user', 'new_reply'),
             'TOKEN' => Token::get(),
             'SUBMIT' => $language->get('general', 'submit'),
-            'SUCCESS_TITLE' => $language->get('general', 'success')
+            'SUCCESS_TITLE' => $language->get('general', 'success'),
+            'YES' => $language->get('general', 'yes'),
+            'NO' => $language->get('general', 'no'),
         ));
 
         // Markdown or HTML?
@@ -595,7 +597,7 @@
 
     } else if ($_GET['action'] == 'leave') {
         // Try to remove the user from the conversation
-        if (!isset($_GET['message']) || !is_numeric($_GET['message'])) {
+        if (!isset($_GET['message']) || !is_numeric($_GET['message']) || !Token::check($_POST['token'])) {
             Redirect::to(URL::build('/user/messaging'));
             die();
         }