From 9a04fbd7318e57ed4c35bc967c8b75c3e410c28a Mon Sep 17 00:00:00 2001
From: Partydragen <admin@partydragen.com>
Date: Wed, 25 Aug 2021 19:42:08 +0200
Subject: [PATCH] Convert custom pages actions to POST
 https://github.com/NamelessMC/Nameless/issues/2033

---
 custom/panel_templates/Default/core/pages.tpl | 21 +++++++++----
 modules/Core/pages/panel/pages.php            | 31 ++++++++++++-------
 2 files changed, 35 insertions(+), 17 deletions(-)

diff --git a/custom/panel_templates/Default/core/pages.tpl b/custom/panel_templates/Default/core/pages.tpl
index 581f064808..00e20c818a 100644
--- a/custom/panel_templates/Default/core/pages.tpl
+++ b/custom/panel_templates/Default/core/pages.tpl
@@ -56,7 +56,7 @@
                                                     <a class="btn btn-warning btn-sm" href="{$custom_page.edit_link}"><i
                                                                 class="fas fa-edit fa-fw"></i></a>
                                                     <button class="btn btn-danger btn-sm" type="button"
-                                                            onclick="showDeleteModal('{$custom_page.delete_link}')"><i
+                                                            onclick="showDeleteModal('{$custom_page.id}')"><i
                                                                 class="fas fa-trash fa-fw"></i></button>
                                                 </div>
                                             </td>
@@ -99,8 +99,9 @@
                     {$CONFIRM_DELETE_PAGE}
                 </div>
                 <div class="modal-footer">
+                    <input type="hidden" id="deleteId" value="">
                     <button type="button" class="btn btn-secondary" data-dismiss="modal">{$NO}</button>
-                    <a href="#" id="deleteLink" class="btn btn-primary">{$YES}</a>
+                    <button type="button" onclick="deletePage()" class="btn btn-primary">{$YES}</button>
                 </div>
             </div>
         </div>
@@ -112,10 +113,18 @@
 {include file='scripts.tpl'}
 
 <script type="text/javascript">
-  function showDeleteModal(id) {
-    $('#deleteLink').attr('href', id);
-    $('#deleteModal').modal().show();
-  }
+    function showDeleteModal(id) {
+        $('#deleteId').attr('value', id);
+        $('#deleteModal').modal().show();
+    }
+  
+    function deletePage() {
+        const id = $('#deleteId').attr('value');
+        if (id) {
+            const response = $.post("{$DELETE_LINK}", { id, action: 'delete', token: "{$TOKEN}" });
+            response.done(function() { window.location.reload(); });
+        }
+    }
 </script>
 
 </body>
diff --git a/modules/Core/pages/panel/pages.php b/modules/Core/pages/panel/pages.php
index 8333908510..5b57ec2a6d 100644
--- a/modules/Core/pages/panel/pages.php
+++ b/modules/Core/pages/panel/pages.php
@@ -2,7 +2,7 @@
 /*
  *	Made by Samerton
  *  https://github.com/NamelessMC/Nameless/
- *  NamelessMC version 2.0.0-pr9
+ *  NamelessMC version 2.0.0-pr11
  *
  *  License: MIT
  *
@@ -30,9 +30,9 @@
     if(count($custom_pages)){
         foreach($custom_pages as $custom_page){
             $template_array[] = array(
+                'id' => Output::getClean($custom_page->id),
                 'edit_link' => URL::build('/panel/core/pages/', 'action=edit&id=' . Output::getClean($custom_page->id)),
-                'title' => Output::getClean($custom_page->title),
-                'delete_link' => URL::build('/panel/core/pages/', 'action=delete&id=' . Output::getClean($custom_page->id))
+                'title' => Output::getClean($custom_page->title)
             );
         }
     }
@@ -47,7 +47,8 @@
         'ARE_YOU_SURE' => $language->get('general', 'are_you_sure'),
         'CONFIRM_DELETE_PAGE' => $language->get('admin', 'confirm_delete_page'),
         'YES' => $language->get('general', 'yes'),
-        'NO' => $language->get('general', 'no')
+        'NO' => $language->get('general', 'no'),
+        'DELETE_LINK' => URL::build('/panel/core/pages', 'action=delete'),
     ));
 
     $template_file = 'core/pages.tpl';
@@ -538,15 +539,20 @@
             break;
 
         case 'delete':
-            if(isset($_GET['id']) && is_numeric($_GET['id'])){
-                    
-                $queries->delete('custom_pages', array('id', '=', $_GET['id']));
-                $queries->delete('custom_pages_permissions', array('page_id', '=', $_GET['id']));
+            if (Input::exists()) {
+                if (Token::check(Input::get('token'))) {
+                    if(isset($_POST['id']) && is_numeric($_POST['id'])){
+                            
+                        $queries->delete('custom_pages', array('id', '=', $_POST['id']));
+                        $queries->delete('custom_pages_permissions', array('page_id', '=', $_POST['id']));
 
-                Session::flash('admin_pages', $language->get('admin', 'page_deleted_successfully'));
-                Redirect::to(URL::build('/panel/core/pages'));
-                die();
+                        Session::flash('admin_pages', $language->get('admin', 'page_deleted_successfully'));
+                    }
+                } else {
+                    Session::flash('admin_pages_error', $language->get('general', 'invalid_token'));
+                }
             }
+            die();
 
             break;
 
@@ -561,6 +567,9 @@
 if(Session::exists('admin_pages'))
     $success = Session::flash('admin_pages');
 
+if(Session::exists('admin_pages_error'))
+    $errors = array(Session::flash('admin_pages_error'));
+
 if(isset($success))
     $smarty->assign(array(
         'SUCCESS' => $success,