Make sure the booking cancellation is a post request and has a reason value provided (#1178).

2024-11-10 10:02:33 +03:00 · 2022-01-18 18:03:55 +01:00 · 2022-01-18 18:03:55 +01:00 · b65eabd9ed
commit b65eabd9ed
parent 378c5eaa25
3 changed files with 9 additions and 2 deletions
--- a/application/controllers/Booking_cancellation.php
+++ b/application/controllers/Booking_cancellation.php
@ -48,6 +48,13 @@ class Booking_cancellation extends EA_Controller {
    {
        try
        {
+            $cancellation_reason = request('cancellation_reason');
+
+            if ($this->input->method() !== 'post' || empty($cancellation_reason))
+            {
+                abort(403, 'Forbidden');
+            }
+
            $exceptions = [];

            $occurrences = $this->appointments_model->get(['hash' => $appointment_hash]);
--- a/application/libraries/Notifications.php
+++ b/application/libraries/Notifications.php
@ -209,7 +209,7 @@ class Notifications {

            if (empty($delete_reason))
            {
-                $delete_reason = (string)request('cancel_reason');
+                $delete_reason = (string)request('cancellation_reason');
            }

            // Notify provider.
--- a/application/views/components/booking_cancellation_frame.php
+++ b/application/views/components/booking_cancellation_frame.php
@ -18,7 +18,7 @@

                <input type="hidden" name="csrfToken" value="<?= $this->security->get_csrf_hash() ?>"/>

-                <input id="cancel-reason" name="cancel_reason" type="hidden">
+                <input id="cancel-reason" name="cancellation_reason" type="hidden">

                <button id="cancel-appointment" class="btn btn-warning btn-sm">
                    <?= lang('cancel') ?>