Convert delete reaction to post request

#2033

custom/panel_templates/Default/core/reactions_edit.tpl

@@ -139,7 +139,10 @@
                 </div>
                 <div class="modal-footer">
                     <button type="button" class="btn btn-secondary" data-dismiss="modal">{$NO}</button>
-                    <a href="{$DELETE_LINK}" class="btn btn-primary">{$YES}</a>
+                    <form action="{$DELETE_LINK}" method="post" style="display: inline">
+                        <input type="hidden" name="token" value="{$TOKEN}" />
+                        <input type="submit" class="btn btn-primary" value="{$YES}" />
+                    </form>
                 </div>
             </div>
         </div>

modules/Core/pages/panel/reactions.php

@@ -29,6 +29,12 @@
         'SUCCESS_TITLE' => $language->get('general', 'success')
     ));
 
+if (Session::exists('api_reactions_error'))
+    $smarty->assign(array(
+        'ERRORS' => [Session::flash('api_reactions_error')],
+        'ERRORS_TITLE' => $language->get('general', 'error')
+    ));
+
 if (!isset($_GET['id']) && !isset($_GET['action'])) {
     // Get all reactions
     $reactions = $queries->getWhere('reactions', array('id', '<>', 0));
@@ -176,11 +182,14 @@
                     die();
                 }
 
-                // Delete reaction
-                $queries->delete('reactions', array('id', '=', $_GET['reaction']));
+                if (Token::check($_POST['token'])) {
+                    // Delete reaction
+                    $queries->delete('reactions', array('id', '=', $_GET['reaction']));
+                    Session::flash('api_reactions', $language->get('admin', 'reaction_deleted_successfully'));
+
+                } else Session::flash('api_reactions_error', $language->get('general', 'invalid_token'));
 
                 // Redirect
-                Session::flash('api_reactions', $language->get('admin', 'reaction_deleted_successfully'));
                 Redirect::to(URL::build('/panel/core/reactions'));
                 die();