Convert delete hook to POST

#2033
NamelessMC · Oct 25, 2021 · ec1edbd · ec1edbd
1 parent d9e795d
commit ec1edbd
Show file tree

Hide file tree

Showing 2 changed files with 19 additions and 11 deletions.
diff --git a/custom/panel_templates/Default/core/hooks.tpl b/custom/panel_templates/Default/core/hooks.tpl
@@ -114,8 +114,11 @@
                     {$CONFIRM_DELETE_HOOK}
                 </div>
                 <div class="modal-footer">
-                    <button type="button" class="btn btn-secondary" data-dismiss="modal">{$NO}</button>
-                    <a href="#" id="deleteLink" class="btn btn-primary">{$YES}</a>
+                    <form action="" id="deleteForm" method="post">
+                        <button type="button" class="btn btn-secondary" data-dismiss="modal">{$NO}</button>
+                        <input type="hidden" name="token" value="{$TOKEN}">
+                        <button type="submit" class="btn btn-primary">{$YES}</button>
+                    </form>
                 </div>
             </div>
         </div>
@@ -128,7 +131,7 @@
 
 <script type="text/javascript">
   function showDeleteModal(id) {
-    $('#deleteLink').attr('href', id);
+    $('#deleteForm').attr('action', id);
     $('#deleteModal').modal().show();
   }
 </script>

diff --git a/modules/Core/pages/panel/hooks.php b/modules/Core/pages/panel/hooks.php
@@ -213,20 +213,25 @@
             break;
 
         case 'delete':
-            // Delete Form
+            // Delete hook
             if (!isset($_GET['id']) || !is_numeric($_GET['id'])) {
                 Redirect::to(URL::build('/panel/core/hooks'));
                 die();
             }
 
-            $queries->delete('hooks', array('id', '=', $_GET['id']));
+            if (Token::check()) {
+                $queries->delete('hooks', array('id', '=', $_GET['id']));
 
-            $cache->setCache('hooks');
-            if ($cache->isCached('hooks')) {
-                $cache->erase('hooks');
+                $cache->setCache('hooks');
+                if ($cache->isCached('hooks')) {
+                    $cache->erase('hooks');
+                }
+
+                Session::flash('admin_hooks', $language->get('admin', 'hook_deleted'));
+            } else {
+                Session::flash('admin_hooks_error', $language->get('general', 'invalid_token'));
             }
 
-            Session::flash('admin_hooks', $language->get('admin', 'hook_deleted'));
             Redirect::to(URL::build('/panel/core/hooks'));
             die();
             break;
@@ -244,8 +249,8 @@
 if (Session::exists('admin_hooks'))
     $success = Session::flash('admin_hooks');
 
-if (Session::exists('admin_pages_error'))
-    $errors[] = Session::flash('admin_pages_error');
+if (Session::exists('admin_hooks_error'))
+    $errors[] = Session::flash('admin_hooks_error');
 
 if (isset($success))
     $smarty->assign(array(