From ec1edbd649f7e38afdafaf1d7ba6a1d994eaca25 Mon Sep 17 00:00:00 2001
From: samerton <samerton@users.noreply.github.com>
Date: Mon, 25 Oct 2021 11:33:31 +0100
Subject: [PATCH] Convert delete hook to POST #2033

---
 custom/panel_templates/Default/core/hooks.tpl |  9 +++++---
 modules/Core/pages/panel/hooks.php            | 21 ++++++++++++-------
 2 files changed, 19 insertions(+), 11 deletions(-)

diff --git a/custom/panel_templates/Default/core/hooks.tpl b/custom/panel_templates/Default/core/hooks.tpl
index 2712d6999c..f926a7f5c7 100644
--- a/custom/panel_templates/Default/core/hooks.tpl
+++ b/custom/panel_templates/Default/core/hooks.tpl
@@ -114,8 +114,11 @@
                     {$CONFIRM_DELETE_HOOK}
                 </div>
                 <div class="modal-footer">
-                    <button type="button" class="btn btn-secondary" data-dismiss="modal">{$NO}</button>
-                    <a href="#" id="deleteLink" class="btn btn-primary">{$YES}</a>
+                    <form action="" id="deleteForm" method="post">
+                        <button type="button" class="btn btn-secondary" data-dismiss="modal">{$NO}</button>
+                        <input type="hidden" name="token" value="{$TOKEN}">
+                        <button type="submit" class="btn btn-primary">{$YES}</button>
+                    </form>
                 </div>
             </div>
         </div>
@@ -128,7 +131,7 @@
 
 <script type="text/javascript">
   function showDeleteModal(id) {
-    $('#deleteLink').attr('href', id);
+    $('#deleteForm').attr('action', id);
     $('#deleteModal').modal().show();
   }
 </script>
diff --git a/modules/Core/pages/panel/hooks.php b/modules/Core/pages/panel/hooks.php
index 2116e5bfa1..84f88dc4e5 100644
--- a/modules/Core/pages/panel/hooks.php
+++ b/modules/Core/pages/panel/hooks.php
@@ -213,20 +213,25 @@
             break;
 
         case 'delete':
-            // Delete Form
+            // Delete hook
             if (!isset($_GET['id']) || !is_numeric($_GET['id'])) {
                 Redirect::to(URL::build('/panel/core/hooks'));
                 die();
             }
 
-            $queries->delete('hooks', array('id', '=', $_GET['id']));
+            if (Token::check()) {
+                $queries->delete('hooks', array('id', '=', $_GET['id']));
 
-            $cache->setCache('hooks');
-            if ($cache->isCached('hooks')) {
-                $cache->erase('hooks');
+                $cache->setCache('hooks');
+                if ($cache->isCached('hooks')) {
+                    $cache->erase('hooks');
+                }
+
+                Session::flash('admin_hooks', $language->get('admin', 'hook_deleted'));
+            } else {
+                Session::flash('admin_hooks_error', $language->get('general', 'invalid_token'));
             }
 
-            Session::flash('admin_hooks', $language->get('admin', 'hook_deleted'));
             Redirect::to(URL::build('/panel/core/hooks'));
             die();
             break;
@@ -244,8 +249,8 @@
 if (Session::exists('admin_hooks'))
     $success = Session::flash('admin_hooks');
 
-if (Session::exists('admin_pages_error'))
-    $errors[] = Session::flash('admin_pages_error');
+if (Session::exists('admin_hooks_error'))
+    $errors[] = Session::flash('admin_hooks_error');
 
 if (isset($success))
     $smarty->assign(array(