Make sure the booking cancellation is a post request and has a reason value provided (#1178).

This commit is contained in:
Alex Tselegidis 2022-01-18 18:03:55 +01:00
parent 378c5eaa25
commit b65eabd9ed
3 changed files with 9 additions and 2 deletions

View file

@ -48,6 +48,13 @@ class Booking_cancellation extends EA_Controller {
{ {
try try
{ {
$cancellation_reason = request('cancellation_reason');
if ($this->input->method() !== 'post' || empty($cancellation_reason))
{
abort(403, 'Forbidden');
}
$exceptions = []; $exceptions = [];
$occurrences = $this->appointments_model->get(['hash' => $appointment_hash]); $occurrences = $this->appointments_model->get(['hash' => $appointment_hash]);

View file

@ -209,7 +209,7 @@ class Notifications {
if (empty($delete_reason)) if (empty($delete_reason))
{ {
$delete_reason = (string)request('cancel_reason'); $delete_reason = (string)request('cancellation_reason');
} }
// Notify provider. // Notify provider.

View file

@ -18,7 +18,7 @@
<input type="hidden" name="csrfToken" value="<?= $this->security->get_csrf_hash() ?>"/> <input type="hidden" name="csrfToken" value="<?= $this->security->get_csrf_hash() ?>"/>
<input id="cancel-reason" name="cancel_reason" type="hidden"> <input id="cancel-reason" name="cancellation_reason" type="hidden">
<button id="cancel-appointment" class="btn btn-warning btn-sm"> <button id="cancel-appointment" class="btn btn-warning btn-sm">
<?= lang('cancel') ?> <?= lang('cancel') ?>