From 8b744b2d03eb88b4674503836c3fa2da66674de6 Mon Sep 17 00:00:00 2001
From: Pranav Nachanekar <pranav@Pranavs-MacBook-Pro.local>
Date: Mon, 23 Sep 2019 15:55:35 +0530
Subject: [PATCH] Added request verification and url encoding

---
 erpnext/crm/doctype/appointment/appointment.py | 18 ++++++++++++++++--
 erpnext/www/book-appointment/verify/index.py   |  6 ++++++
 2 files changed, 22 insertions(+), 2 deletions(-)

diff --git a/erpnext/crm/doctype/appointment/appointment.py b/erpnext/crm/doctype/appointment/appointment.py
index 260026c495..a495b910e8 100644
--- a/erpnext/crm/doctype/appointment/appointment.py
+++ b/erpnext/crm/doctype/appointment/appointment.py
@@ -4,6 +4,7 @@
 
 from __future__ import unicode_literals
 
+import urllib
 from collections import Counter
 from datetime import timedelta
 
@@ -11,6 +12,8 @@ import frappe
 from frappe import _
 from frappe.model.document import Document
 from frappe.desk.form.assign_to import add as add_assignemnt
+from frappe.utils import get_url
+from frappe.utils.verified_command import verify_request,get_signed_params
 
 
 class Appointment(Document):
@@ -40,13 +43,23 @@ class Appointment(Document):
 			# Set status to unverified
 			self.status = 'Unverified'
 			# Send email to confirm
-			verify_url = ''.join([frappe.utils.get_url(),'/book-appointment/verify?email=',self.customer_email,'&appointment=',self.name])
+			verify_url = self.get_verify_url()
 			message = ''.join(['Please click the following link to confirm your appointment:',verify_url])
 			frappe.sendmail(recipients=[self.customer_email], 
 							message=message,
 							subject=_('Appointment Confirmation'))
 			frappe.msgprint('Please check your email to confirm the appointment')
 
+	def get_verify_url(self):
+		verify_route = '/book-appointment/verify'
+
+		params = {
+			'email':self.customer_email,
+			'appointment':self.name
+		}
+
+		return get_url(verify_route + '?' + get_signed_params(params))
+
 	def on_update(self):
 		# Sync Calednar
 		if not self.calendar_event:
@@ -60,8 +73,9 @@ class Appointment(Document):
 			frappe.throw('Email verification failed.')
 		# Create new lead
 		self.create_lead()
-		# Create calender event
+		# Remove unverified status
 		self.status = 'Open'
+		# Create calender event
 		self.create_calendar_event()
 		self.save(ignore_permissions=True)
 		frappe.db.commit()
diff --git a/erpnext/www/book-appointment/verify/index.py b/erpnext/www/book-appointment/verify/index.py
index d25b50565a..86f9515332 100644
--- a/erpnext/www/book-appointment/verify/index.py
+++ b/erpnext/www/book-appointment/verify/index.py
@@ -1,8 +1,14 @@
 import frappe
+from frappe.utils.verified_command import verify_request
 @frappe.whitelist(allow_guest=True)
 def get_context(context):
+    if not verify_request():
+        context.success = False
+        return context
+    
     email = frappe.form_dict['email']
     appointment_name = frappe.form_dict['appointment']
+
     if email and appointment_name:
         appointment = frappe.get_doc('Appointment',appointment_name)
         appointment.set_verified(email)