From 54daad6e7daeec1b6c24a5c4210a9761c53f4d0e Mon Sep 17 00:00:00 2001
From: Toby Zerner <toby.zerner@gmail.com>
Date: Tue, 7 Jul 2015 15:30:13 +0930
Subject: [PATCH] CSRF protection on logout action

---
 src/Forum/Actions/LogoutAction.php | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/src/Forum/Actions/LogoutAction.php b/src/Forum/Actions/LogoutAction.php
index a91411266..96243d32e 100644
--- a/src/Forum/Actions/LogoutAction.php
+++ b/src/Forum/Actions/LogoutAction.php
@@ -1,5 +1,6 @@
 <?php namespace Flarum\Forum\Actions;
 
+use Flarum\Api\AccessToken;
 use Flarum\Forum\Events\UserLoggedOut;
 use Flarum\Support\Action;
 use Psr\Http\Message\ServerRequestInterface as Request;
@@ -18,6 +19,10 @@ class LogoutAction extends Action
         $user = app('flarum.actor');
 
         if ($user->exists) {
+            $token = array_get($request->getQueryParams(), 'token');
+
+            AccessToken::where('user_id', $user->id)->findOrFail($token);
+
             $user->accessTokens()->delete();
 
             event(new UserLoggedOut($user));