post logout, re #4692

Merge request studip/studip!3507

post logout, re #4692
31b27040 · Jan-Hendrik Willms · 48db94cc · 31b27040 · 31b27040 · 31b27040
Commit 31b27040 authored 6 months ago by Jan-Hendrik Willms
--- a/app/controllers/terms.php
+++ b/app/controllers/terms.php
@@ -32,6 +32,7 @@ class TermsController extends AuthenticatedController
                $GLOBALS['user']->cfg->store('TERMS_ACCEPTED', 1);
                $this->redirectUser();
            } else {
+                $_SESSION['logout_ticket'] = get_ticket();
                $this->redirectUser('logout.php');
            }
        } elseif (Request::get('action') === 'denied') {

--- a/app/views/api/oauth2/authorize.php
+++ b/app/views/api/oauth2/authorize.php
@@ -48,13 +48,16 @@
            htmlReady($GLOBALS['user']->getFullName()),
            htmlReady($GLOBALS['user']->username)
            ) ?><br>
-        <small>
+    </p>
-            <a href="<?= URLHelper::getLink('logout.php') ?>">
+    <form action="<?= URLHelper::getLink('logout.php') ?>" method="post">
+        <button class="as-link">
+            <small>
                <?= sprintf(
                    _('Sind sie nicht <strong>%s</strong>, so melden Sie sich bitte ab und versuchen es erneut.'),
                    htmlReady($GLOBALS['user']->getFullName())
                ) ?>
-            </a>
+            </small>
-        </small>
+        </button>
-    </p>
+    </form>
 </section>
--- a/app/views/terms/index.php
+++ b/app/views/terms/index.php
@@ -23,10 +23,9 @@
    <? endif; ?>
    <footer style="text-align: center">
    <? if ($denial_message): ?>
-        <?= Studip\LinkButton::createAccept(
+        <form action="<?= URLHelper::getLink('logout.php') ?>" method="post">
-            _('Verstanden'),
+            <?= Studip\Button::createAccept(_('Verstanden')) ?>
-            URLHelper::getURL('logout.php')
+        </form>
-        ) ?>
    <? else: ?>
        <?= Studip\Button::createAccept(_('Ich erkenne die Nutzungsbedingungen an'), 'accept') ?>

--- a/lib/navigation/AvatarNavigation.php
+++ b/lib/navigation/AvatarNavigation.php
@@ -48,6 +48,7 @@ class AvatarNavigation extends Navigation
        // Link to logout
        $navigation = new Navigation(_('Logout'), 'logout.php');
        $navigation->setImage(Icon::create('door-leave'));
+        $navigation->setRenderAsButton();
        $this->addSubNavigation('logout', $navigation);
    }
 }
--- a/lib/navigation/Navigation.php
+++ b/lib/navigation/Navigation.php
@@ -48,6 +48,8 @@ class Navigation implements IteratorAggregate
    protected $title;
    protected $url;
+    protected $render_as_button = false;
    /**
     * Mark the navigation item at the given path as active.
     * This is just a shortcut for doing:
@@ -457,6 +459,22 @@ class Navigation implements IteratorAggregate
        $this->badgeTimestamp = $badgeTimestamp;
    }
+    /**
+     * Sets whether the navigation should be rendered as a button or not
+     */
+    public function setRenderAsButton(bool $state = true): void
+    {
+        $this->render_as_button = $state;
+    }
+    /**
+     * Return whether the navigation should be rendered as a button or not
+     */
+    public function getRenderAsButton(): bool
+    {
+        return $this->render_as_button;
+    }
    /**
     * Get the active subnavigation item of this navigation
     * (if there is one). Returns NULL if the subnavigation

--- a/public/logout.php
+++ b/public/logout.php
@@ -29,6 +29,20 @@ page_open(["sess" => "Seminar_Session", "auth" => "Seminar_Default_Auth", "perm"
 require_once 'lib/messaging.inc.php';
+// Redirect to index page if request is not a post request or logout ticket is
+// missing
+if (
+    !Request::isPost()
+    && !(
+        isset($_SESSION['logout_ticket'])
+        && check_ticket($_SESSION['logout_ticket'])
+    )
+) {
+    header('Location: ' . URLHelper::getURL('index.php'));
+    page_close();
+    die;
+}
 //nur wenn wir angemeldet sind sollten wir dies tun!
 if ($auth->auth['uid'] !== 'nobody') {
    $my_messaging_settings = $GLOBALS['user']->cfg->MESSAGING_SETTINGS;
@@ -56,11 +70,6 @@ if ($auth->auth['uid'] !== 'nobody') {
    $timeout=(time()-(15 * 60));
    $user->set_last_action($timeout);
-    // Perform logout from auth plugin (if possible)
-    if ($auth_plugin instanceof StudipAuthSSO) {
-        $auth_plugin->logout();
-    }
    $sess->start();
    $_SESSION['_language'] = $_language;
    if ($contrast) {
@@ -71,6 +80,11 @@ if ($auth->auth['uid'] !== 'nobody') {
        _('Sie sind nun aus dem System abgemeldet.'),
        array_filter([$GLOBALS['UNI_LOGOUT_ADD']])
    );
+    // Perform logout from auth plugin (if possible)
+    if ($auth_plugin instanceof StudipAuthSSO) {
+        $auth_plugin->logout();
+    }
 } else {
    $sess->delete();
    page_close();

--- a/templates/header.php
+++ b/templates/header.php
@@ -169,7 +169,7 @@ if ($navigation) {
                <? endif; ?>
                <? if (Navigation::hasItem('/avatar')): ?>
-                    <div id="avatar-menu">
+                    <form id="avatar-menu" method="post">
                    <?php
                    $action_menu = ContentGroupMenu::get();
                    $action_menu->addCSSClass('avatar-menu');
@@ -182,17 +182,29 @@ if ($navigation) {
                    );
                    foreach (Navigation::getItem('/avatar') as $subnav) {
-                        $action_menu->addLink(
+                        if ($subnav->getRenderAsButton()) {
-                            URLHelper::getURL($subnav->getURL(), [], true),
+                            $action_menu->addButton(
-                            $subnav->getTitle(),
+                                'logout',
-                            $subnav->getImage(),
+                                $subnav->getTitle(),
-                            $subnav->getLinkAttributes()
+                                $subnav->getImage(),
-                        );
+                                array_merge(
+                                    $subnav->getLinkAttributes(),
+                                    ['formaction' => URLHelper::getURL($subnav->getURL(), [], true)]
+                                )
+                            );
+                        } else {
+                            $action_menu->addLink(
+                                URLHelper::getURL($subnav->getURL(), [], true),
+                                $subnav->getTitle(),
+                                $subnav->getImage(),
+                                $subnav->getLinkAttributes()
+                            );
+                        }
                    }
                    SkipLinks::addIndex(_('Profilmenü'), 'header_avatar_image_link', 1, false);
                    ?>
                    <?= $action_menu->render(); ?>
-                    </div>
+                    </form>
                <? endif; ?>
                </li>
            <? endif; ?>

--- a/templates/shared/contentgroup-row.php
+++ b/templates/shared/contentgroup-row.php
@@ -29,11 +29,11 @@
            <? elseif ($action['type'] === 'button'): ?>
                <label>
                <? if ($action['icon']): ?>
-                    <?= $action['icon']->asInput(false, [
+                    <?= $action['icon']->asInput(false, array_merge($action['attributes'], [
                        'class' => 'action-menu-item-icon',
                        'name'  => $action['name'],
                        'title' => $action['label'],
-                    ]) ?>
+                    ])) ?>
                <? else: ?>
                    <span class="action-menu-no-icon"></span>
                    <button type="submit" name="<?= htmlReady($action['name']) ?>" style="display: none;"></button>