From e8a4e5e0ef91ae906698f8ac086eb473a0259c69 Mon Sep 17 00:00:00 2001 From: Toby Zerner Date: Wed, 29 Nov 2017 13:03:16 +1030 Subject: [PATCH] Add log out confirmation if CSRF token is invalid. fixes #1282 --- src/Forum/Controller/LogOutController.php | 51 +++++++++++++++++++---- views/log-out.blade.php | 14 +++++++ 2 files changed, 56 insertions(+), 9 deletions(-) create mode 100644 views/log-out.blade.php diff --git a/src/Forum/Controller/LogOutController.php b/src/Forum/Controller/LogOutController.php index 1aef40efb..4dbb891cf 100644 --- a/src/Forum/Controller/LogOutController.php +++ b/src/Forum/Controller/LogOutController.php @@ -18,8 +18,11 @@ use Flarum\Http\Controller\ControllerInterface; use Flarum\Http\Exception\TokenMismatchException; use Flarum\Http\Rememberer; use Flarum\Http\SessionAuthenticator; +use Flarum\Settings\SettingsRepositoryInterface; use Illuminate\Contracts\Events\Dispatcher; +use Illuminate\Contracts\View\Factory; use Psr\Http\Message\ServerRequestInterface as Request; +use Zend\Diactoros\Response\HtmlResponse; use Zend\Diactoros\Response\RedirectResponse; class LogOutController implements ControllerInterface @@ -46,18 +49,38 @@ class LogOutController implements ControllerInterface */ protected $rememberer; + /** + * @var Factory + */ + protected $view; + + /** + * @var SettingsRepositoryInterface + */ + protected $settings; + /** * @param Application $app * @param Dispatcher $events * @param SessionAuthenticator $authenticator * @param Rememberer $rememberer + * @param Factory $view + * @param SettingsRepositoryInterface $settings */ - public function __construct(Application $app, Dispatcher $events, SessionAuthenticator $authenticator, Rememberer $rememberer) - { + public function __construct( + Application $app, + Dispatcher $events, + SessionAuthenticator $authenticator, + Rememberer $rememberer, + Factory $view, + SettingsRepositoryInterface $settings + ) { $this->app = $app; $this->events = $events; $this->authenticator = $authenticator; $this->rememberer = $rememberer; + $this->view = $view; + $this->settings = $settings; } /** @@ -68,17 +91,27 @@ class LogOutController implements ControllerInterface public function handle(Request $request) { $session = $request->getAttribute('session'); - - if (array_get($request->getQueryParams(), 'token') !== $session->get('csrf_token')) { - throw new TokenMismatchException; - } - $actor = $request->getAttribute('actor'); - $this->assertRegistered($actor); - $url = array_get($request->getQueryParams(), 'return', $this->app->url()); + // If there is no user logged in, return to the index. + if ($actor->isGuest()) { + return new RedirectResponse($url); + } + + // If a valid CSRF token hasn't been provided, show a view which will + // allow the user to press a button to complete the log out process. + $csrfToken = $session->get('csrf_token'); + + if (array_get($request->getQueryParams(), 'token') !== $csrfToken) { + $view = $this->view->make('flarum.forum::log-out') + ->with('csrfToken', $csrfToken) + ->with('forumTitle', $this->settings->get('forum_title')); + + return new HtmlResponse($view->render()); + } + $response = new RedirectResponse($url); $this->authenticator->logOut($session); diff --git a/views/log-out.blade.php b/views/log-out.blade.php new file mode 100644 index 000000000..5f777dda3 --- /dev/null +++ b/views/log-out.blade.php @@ -0,0 +1,14 @@ +@extends('flarum.forum::layouts.basic') +@inject('url', 'Flarum\Forum\UrlGenerator') + +@section('title', $translator->trans('core.views.log_out.title')) + +@section('content') +

{{ $translator->trans('core.views.log_out.log_out_confirmation', ['{forum}' => $forumTitle]) }}

+ +

+ + {{ $translator->trans('core.views.log_out.log_out_button') }} + +

+@endsection