Add log out confirmation if CSRF token is invalid. fixes #1282

2024-11-26 10:14:16 +08:00 · 2017-11-29 13:03:16 +10:30 · 2017-11-29 13:03:16 +10:30 · e8a4e5e0ef
commit e8a4e5e0ef
parent 295193eb3c
2 changed files with 56 additions and 9 deletions
--- a/src/Forum/Controller/LogOutController.php
+++ b/src/Forum/Controller/LogOutController.php
@ -18,8 +18,11 @@ use Flarum\Http\Controller\ControllerInterface;
 use Flarum\Http\Exception\TokenMismatchException;
 use Flarum\Http\Rememberer;
 use Flarum\Http\SessionAuthenticator;
+use Flarum\Settings\SettingsRepositoryInterface;
 use Illuminate\Contracts\Events\Dispatcher;
+use Illuminate\Contracts\View\Factory;
 use Psr\Http\Message\ServerRequestInterface as Request;
+use Zend\Diactoros\Response\HtmlResponse;
 use Zend\Diactoros\Response\RedirectResponse;

 class LogOutController implements ControllerInterface
@ -46,18 +49,38 @@ class LogOutController implements ControllerInterface
     */
    protected $rememberer;

+    /**
+     * @var Factory
+     */
+    protected $view;
+
+    /**
+     * @var SettingsRepositoryInterface
+     */
+    protected $settings;
+
    /**
     * @param Application $app
     * @param Dispatcher $events
     * @param SessionAuthenticator $authenticator
     * @param Rememberer $rememberer
+     * @param Factory $view
+     * @param SettingsRepositoryInterface $settings
     */
-    public function __construct(Application $app, Dispatcher $events, SessionAuthenticator $authenticator, Rememberer $rememberer)
-    {
+    public function __construct(
+        Application $app,
+        Dispatcher $events,
+        SessionAuthenticator $authenticator,
+        Rememberer $rememberer,
+        Factory $view,
+        SettingsRepositoryInterface $settings
+    ) {
        $this->app = $app;
        $this->events = $events;
        $this->authenticator = $authenticator;
        $this->rememberer = $rememberer;
+        $this->view = $view;
+        $this->settings = $settings;
    }

    /**
@ -68,17 +91,27 @@ class LogOutController implements ControllerInterface
    public function handle(Request $request)
    {
        $session = $request->getAttribute('session');
-
-        if (array_get($request->getQueryParams(), 'token') !== $session->get('csrf_token')) {
-            throw new TokenMismatchException;
-        }
-
        $actor = $request->getAttribute('actor');

-        $this->assertRegistered($actor);
-
        $url = array_get($request->getQueryParams(), 'return', $this->app->url());

+        // If there is no user logged in, return to the index.
+        if ($actor->isGuest()) {
+            return new RedirectResponse($url);
+        }
+
+        // If a valid CSRF token hasn't been provided, show a view which will
+        // allow the user to press a button to complete the log out process.
+        $csrfToken = $session->get('csrf_token');
+
+        if (array_get($request->getQueryParams(), 'token') !== $csrfToken) {
+            $view = $this->view->make('flarum.forum::log-out')
+                ->with('csrfToken', $csrfToken)
+                ->with('forumTitle', $this->settings->get('forum_title'));
+
+            return new HtmlResponse($view->render());
+        }
+
        $response = new RedirectResponse($url);

        $this->authenticator->logOut($session);
--- a/views/log-out.blade.php
+++ b/views/log-out.blade.php
@ -0,0 +1,14 @@
+@extends('flarum.forum::layouts.basic')
+@inject('url', 'Flarum\Forum\UrlGenerator')
+
+@section('title', $translator->trans('core.views.log_out.title'))
+
+@section('content')
+  <p>{{ $translator->trans('core.views.log_out.log_out_confirmation', ['{forum}' => $forumTitle]) }}</p>
+
+  <p>
+    <a href="{{ $url->toRoute('logout') }}?token={{ $csrfToken }}" class="button">
+      {{ $translator->trans('core.views.log_out.log_out_button') }}
+    </a>
+  </p>
+@endsection