From b65eabd9ede2a4dc122b6f7245a6c48f0784e244 Mon Sep 17 00:00:00 2001
From: Alex Tselegidis <alextselegidis@gmail.com>
Date: Tue, 18 Jan 2022 18:03:55 +0100
Subject: [PATCH] Make sure the booking cancellation is a post request and has
 a reason value provided (#1178).

---
 application/controllers/Booking_cancellation.php           | 7 +++++++
 application/libraries/Notifications.php                    | 2 +-
 .../views/components/booking_cancellation_frame.php        | 2 +-
 3 files changed, 9 insertions(+), 2 deletions(-)

diff --git a/application/controllers/Booking_cancellation.php b/application/controllers/Booking_cancellation.php
index 28cc7306..6c113cc7 100755
--- a/application/controllers/Booking_cancellation.php
+++ b/application/controllers/Booking_cancellation.php
@@ -48,6 +48,13 @@ class Booking_cancellation extends EA_Controller {
     {
         try
         {
+            $cancellation_reason = request('cancellation_reason');
+
+            if ($this->input->method() !== 'post' || empty($cancellation_reason))
+            {
+                abort(403, 'Forbidden');
+            }
+
             $exceptions = [];
 
             $occurrences = $this->appointments_model->get(['hash' => $appointment_hash]);
diff --git a/application/libraries/Notifications.php b/application/libraries/Notifications.php
index 3ebee28a..ca761c1d 100644
--- a/application/libraries/Notifications.php
+++ b/application/libraries/Notifications.php
@@ -209,7 +209,7 @@ class Notifications {
 
             if (empty($delete_reason))
             {
-                $delete_reason = (string)request('cancel_reason');
+                $delete_reason = (string)request('cancellation_reason');
             }
 
             // Notify provider.
diff --git a/application/views/components/booking_cancellation_frame.php b/application/views/components/booking_cancellation_frame.php
index 3ba831ac..169ee81b 100644
--- a/application/views/components/booking_cancellation_frame.php
+++ b/application/views/components/booking_cancellation_frame.php
@@ -18,7 +18,7 @@
 
                 <input type="hidden" name="csrfToken" value="<?= $this->security->get_csrf_hash() ?>"/>
 
-                <input id="cancel-reason" name="cancel_reason" type="hidden">
+                <input id="cancel-reason" name="cancellation_reason" type="hidden">
 
                 <button id="cancel-appointment" class="btn btn-warning btn-sm">
                     <?= lang('cancel') ?>