From bf4ccb0eabe0f4258bc174a83dfba318d0212af1 Mon Sep 17 00:00:00 2001 From: Daniel Friesel Date: Fri, 8 Mar 2019 16:54:54 +0100 Subject: [PATCH] Logout: Use a POST form as it's a stateful action --- index.pl | 4 ++++ templates/login.html.ep | 8 +++++++- 2 files changed, 11 insertions(+), 1 deletion(-) diff --git a/index.pl b/index.pl index 69d1079..6331d45 100755 --- a/index.pl +++ b/index.pl @@ -1176,6 +1176,10 @@ get '/export.json' => sub { post '/logout' => sub { my ($self) = @_; + if ( $self->validation->csrf_protect->has_error('csrf_token') ) { + $self->render( 'login', invalid => 'csrf' ); + return; + } $self->logout; $self->redirect_to('/login'); }; diff --git a/templates/login.html.ep b/templates/login.html.ep index f85ba91..23d3259 100644 --- a/templates/login.html.ep +++ b/templates/login.html.ep @@ -7,7 +7,13 @@

Du bist bereits angemeldet. Falls du mehrere Accounts hast und auf einen anderen wechseln möchtest, musst du dich - vorher abmelden. + vorher + %= form_for 'logout' => begin + %= csrf_field + + %= end