From 2265ee625a8686f6f1559bea38d7756ec8cf208f Mon Sep 17 00:00:00 2001
From: samerton <samerton@users.noreply.github.com>
Date: Sat, 28 Aug 2021 17:03:08 +0100
Subject: [PATCH] Convert delete reaction to post request #2033

---
 .../Default/core/reactions_edit.tpl               |  5 ++++-
 modules/Core/pages/panel/reactions.php            | 15 ++++++++++++---
 2 files changed, 16 insertions(+), 4 deletions(-)

diff --git a/custom/panel_templates/Default/core/reactions_edit.tpl b/custom/panel_templates/Default/core/reactions_edit.tpl
index 110d639827..c92276a3b1 100644
--- a/custom/panel_templates/Default/core/reactions_edit.tpl
+++ b/custom/panel_templates/Default/core/reactions_edit.tpl
@@ -139,7 +139,10 @@
                 </div>
                 <div class="modal-footer">
                     <button type="button" class="btn btn-secondary" data-dismiss="modal">{$NO}</button>
-                    <a href="{$DELETE_LINK}" class="btn btn-primary">{$YES}</a>
+                    <form action="{$DELETE_LINK}" method="post" style="display: inline">
+                        <input type="hidden" name="token" value="{$TOKEN}" />
+                        <input type="submit" class="btn btn-primary" value="{$YES}" />
+                    </form>
                 </div>
             </div>
         </div>
diff --git a/modules/Core/pages/panel/reactions.php b/modules/Core/pages/panel/reactions.php
index 1c93ecd8ae..ade640d98c 100644
--- a/modules/Core/pages/panel/reactions.php
+++ b/modules/Core/pages/panel/reactions.php
@@ -29,6 +29,12 @@
         'SUCCESS_TITLE' => $language->get('general', 'success')
     ));
 
+if (Session::exists('api_reactions_error'))
+    $smarty->assign(array(
+        'ERRORS' => [Session::flash('api_reactions_error')],
+        'ERRORS_TITLE' => $language->get('general', 'error')
+    ));
+
 if (!isset($_GET['id']) && !isset($_GET['action'])) {
     // Get all reactions
     $reactions = $queries->getWhere('reactions', array('id', '<>', 0));
@@ -176,11 +182,14 @@
                     die();
                 }
 
-                // Delete reaction
-                $queries->delete('reactions', array('id', '=', $_GET['reaction']));
+                if (Token::check($_POST['token'])) {
+                    // Delete reaction
+                    $queries->delete('reactions', array('id', '=', $_GET['reaction']));
+                    Session::flash('api_reactions', $language->get('admin', 'reaction_deleted_successfully'));
+
+                } else Session::flash('api_reactions_error', $language->get('general', 'invalid_token'));
 
                 // Redirect
-                Session::flash('api_reactions', $language->get('admin', 'reaction_deleted_successfully'));
                 Redirect::to(URL::build('/panel/core/reactions'));
                 die();