change alias/mailbox deletion to be a POST request

2024-09-20 03:36:20 +02:00 · 2020-09-27 20:41:25 +01:00 · 2020-09-27 20:41:25 +01:00 · a3386ee8f7
commit a3386ee8f7
parent f6f62180e8
2 changed files with 14 additions and 5 deletions
--- a/public/delete.php
+++ b/public/delete.php
@ -19,14 +19,15 @@
 require_once('common.php');
-if (safeget('token') != $_SESSION['PFA_token']) {
+
 if (safepost('token') != $_SESSION['PFA_token']) {
    die('Invalid token!');
 }
 $username = authentication_get_username(); # enforce login
-$id    = safeget('delete');
+$id    = safepost('delete');
-$table = safeget('table');
+$table = safepost('table');
 $handlerclass = ucfirst($table) . 'Handler';
--- a/templates/bootstrap/list-virtual_mailbox.tpl
+++ b/templates/bootstrap/list-virtual_mailbox.tpl
@ -98,8 +98,16 @@
 				<td><a href="edit.php?table=alias&amp;edit={$item.username|escape:"url"}">{$PALANG.alias}</a></td>
 			{/if}
 			<td><a href="edit.php?table=mailbox&amp;edit={$item.username|escape:"url"}">{$PALANG.edit}</a></td>
-			<td><a href="delete.php?table=mailbox&amp;delete={$item.username|escape:"url"}&amp;token={$smarty.session.PFA_token|escape:"url"}"
+			<td>
-				onclick="return confirm ('{$PALANG.confirm}{$PALANG.mailboxes}: {$item.username}');">{$PALANG.del}</a></td>
+				<form method="post" action="delete.php">
 					<input type="hidden" name="table" value="mailbox">
 					<input type="hidden" name="delete" value="{$item.username|escape:"quotes"}">
 					<input type="hidden" name="token" value="{$smarty.session.PFA_token|escape:"quotes"}">
 					<button type="submit" class="btn btn-danger" onclick="return confirm ('{$PALANG.confirm}{$PALANG.mailboxes}: {$item.username}');">
 						{$PALANG.del}
 					</button>
 				</form>
 			</td>
 		</tr>
 	{/foreach}
 	</tbody>