From 31b270404561a11608a39bf1277f3854ea670033 Mon Sep 17 00:00:00 2001
From: Jan-Hendrik Willms <tleilax+studip@gmail.com>
Date: Fri, 18 Oct 2024 08:28:24 +0000
Subject: [PATCH] post logout, re #4692
Merge request studip/studip!3507
---
app/controllers/terms.php | 1 +
app/views/api/oauth2/authorize.php | 13 ++++++++-----
app/views/terms/index.php | 7 +++----
lib/navigation/AvatarNavigation.php | 1 +
lib/navigation/Navigation.php | 18 +++++++++++++++++
public/logout.php | 24 ++++++++++++++++++-----
templates/header.php | 28 +++++++++++++++++++--------
templates/shared/contentgroup-row.php | 4 ++--
8 files changed, 72 insertions(+), 24 deletions(-)
diff --git a/app/controllers/terms.php b/app/controllers/terms.php
index ef59395046f..679a3477477 100644
--- a/app/controllers/terms.php
+++ b/app/controllers/terms.php
@@ -32,6 +32,7 @@ class TermsController extends AuthenticatedController
$GLOBALS['user']->cfg->store('TERMS_ACCEPTED', 1);
$this->redirectUser();
} else {
+ $_SESSION['logout_ticket'] = get_ticket();
$this->redirectUser('logout.php');
}
} elseif (Request::get('action') === 'denied') {
diff --git a/app/views/api/oauth2/authorize.php b/app/views/api/oauth2/authorize.php
index 693968adf86..57d4ef61bde 100644
--- a/app/views/api/oauth2/authorize.php
+++ b/app/views/api/oauth2/authorize.php
@@ -48,13 +48,16 @@
htmlReady($GLOBALS['user']->getFullName()),
htmlReady($GLOBALS['user']->username)
) ?><br>
- <small>
- <a href="<?= URLHelper::getLink('logout.php') ?>">
+ </p>
+
+ <form action="<?= URLHelper::getLink('logout.php') ?>" method="post">
+ <button class="as-link">
+ <small>
<?= sprintf(
_('Sind sie nicht <strong>%s</strong>, so melden Sie sich bitte ab und versuchen es erneut.'),
htmlReady($GLOBALS['user']->getFullName())
) ?>
- </a>
- </small>
- </p>
+ </small>
+ </button>
+ </form>
</section>
diff --git a/app/views/terms/index.php b/app/views/terms/index.php
index 69d116169d7..0dc5710e493 100644
--- a/app/views/terms/index.php
+++ b/app/views/terms/index.php
@@ -23,10 +23,9 @@
<? endif; ?>
<footer style="text-align: center">
<? if ($denial_message): ?>
- <?= Studip\LinkButton::createAccept(
- _('Verstanden'),
- URLHelper::getURL('logout.php')
- ) ?>
+ <form action="<?= URLHelper::getLink('logout.php') ?>" method="post">
+ <?= Studip\Button::createAccept(_('Verstanden')) ?>
+ </form>
<? else: ?>
<?= Studip\Button::createAccept(_('Ich erkenne die Nutzungsbedingungen an'), 'accept') ?>
diff --git a/lib/navigation/AvatarNavigation.php b/lib/navigation/AvatarNavigation.php
index a762db7c4f9..64bbdbc68a1 100644
--- a/lib/navigation/AvatarNavigation.php
+++ b/lib/navigation/AvatarNavigation.php
@@ -48,6 +48,7 @@ class AvatarNavigation extends Navigation
// Link to logout
$navigation = new Navigation(_('Logout'), 'logout.php');
$navigation->setImage(Icon::create('door-leave'));
+ $navigation->setRenderAsButton();
$this->addSubNavigation('logout', $navigation);
}
}
diff --git a/lib/navigation/Navigation.php b/lib/navigation/Navigation.php
index af4355b02eb..c8fde82f930 100644
--- a/lib/navigation/Navigation.php
+++ b/lib/navigation/Navigation.php
@@ -48,6 +48,8 @@ class Navigation implements IteratorAggregate
protected $title;
protected $url;
+ protected $render_as_button = false;
+
/**
* Mark the navigation item at the given path as active.
* This is just a shortcut for doing:
@@ -457,6 +459,22 @@ class Navigation implements IteratorAggregate
$this->badgeTimestamp = $badgeTimestamp;
}
+ /**
+ * Sets whether the navigation should be rendered as a button or not
+ */
+ public function setRenderAsButton(bool $state = true): void
+ {
+ $this->render_as_button = $state;
+ }
+
+ /**
+ * Return whether the navigation should be rendered as a button or not
+ */
+ public function getRenderAsButton(): bool
+ {
+ return $this->render_as_button;
+ }
+
/**
* Get the active subnavigation item of this navigation
* (if there is one). Returns NULL if the subnavigation
diff --git a/public/logout.php b/public/logout.php
index c2722a24fcf..76d079df29e 100644
--- a/public/logout.php
+++ b/public/logout.php
@@ -29,6 +29,20 @@ page_open(["sess" => "Seminar_Session", "auth" => "Seminar_Default_Auth", "perm"
require_once 'lib/messaging.inc.php';
+// Redirect to index page if request is not a post request or logout ticket is
+// missing
+if (
+ !Request::isPost()
+ && !(
+ isset($_SESSION['logout_ticket'])
+ && check_ticket($_SESSION['logout_ticket'])
+ )
+) {
+ header('Location: ' . URLHelper::getURL('index.php'));
+ page_close();
+ die;
+}
+
//nur wenn wir angemeldet sind sollten wir dies tun!
if ($auth->auth['uid'] !== 'nobody') {
$my_messaging_settings = $GLOBALS['user']->cfg->MESSAGING_SETTINGS;
@@ -56,11 +70,6 @@ if ($auth->auth['uid'] !== 'nobody') {
$timeout=(time()-(15 * 60));
$user->set_last_action($timeout);
- // Perform logout from auth plugin (if possible)
- if ($auth_plugin instanceof StudipAuthSSO) {
- $auth_plugin->logout();
- }
-
$sess->start();
$_SESSION['_language'] = $_language;
if ($contrast) {
@@ -71,6 +80,11 @@ if ($auth->auth['uid'] !== 'nobody') {
_('Sie sind nun aus dem System abgemeldet.'),
array_filter([$GLOBALS['UNI_LOGOUT_ADD']])
);
+
+ // Perform logout from auth plugin (if possible)
+ if ($auth_plugin instanceof StudipAuthSSO) {
+ $auth_plugin->logout();
+ }
} else {
$sess->delete();
page_close();
diff --git a/templates/header.php b/templates/header.php
index e5c8943c24d..75a87b4dbab 100644
--- a/templates/header.php
+++ b/templates/header.php
@@ -169,7 +169,7 @@ if ($navigation) {
<? endif; ?>
<? if (Navigation::hasItem('/avatar')): ?>
- <div id="avatar-menu">
+ <form id="avatar-menu" method="post">
<?php
$action_menu = ContentGroupMenu::get();
$action_menu->addCSSClass('avatar-menu');
@@ -182,17 +182,29 @@ if ($navigation) {
);
foreach (Navigation::getItem('/avatar') as $subnav) {
- $action_menu->addLink(
- URLHelper::getURL($subnav->getURL(), [], true),
- $subnav->getTitle(),
- $subnav->getImage(),
- $subnav->getLinkAttributes()
- );
+ if ($subnav->getRenderAsButton()) {
+ $action_menu->addButton(
+ 'logout',
+ $subnav->getTitle(),
+ $subnav->getImage(),
+ array_merge(
+ $subnav->getLinkAttributes(),
+ ['formaction' => URLHelper::getURL($subnav->getURL(), [], true)]
+ )
+ );
+ } else {
+ $action_menu->addLink(
+ URLHelper::getURL($subnav->getURL(), [], true),
+ $subnav->getTitle(),
+ $subnav->getImage(),
+ $subnav->getLinkAttributes()
+ );
+ }
}
SkipLinks::addIndex(_('Profilmenü'), 'header_avatar_image_link', 1, false);
?>
<?= $action_menu->render(); ?>
- </div>
+ </form>
<? endif; ?>
</li>
<? endif; ?>
diff --git a/templates/shared/contentgroup-row.php b/templates/shared/contentgroup-row.php
index a1052ab9d44..8b3419ce384 100644
--- a/templates/shared/contentgroup-row.php
+++ b/templates/shared/contentgroup-row.php
@@ -29,11 +29,11 @@
<? elseif ($action['type'] === 'button'): ?>
<label>
<? if ($action['icon']): ?>
- <?= $action['icon']->asInput(false, [
+ <?= $action['icon']->asInput(false, array_merge($action['attributes'], [
'class' => 'action-menu-item-icon',
'name' => $action['name'],
'title' => $action['label'],
- ]) ?>
+ ])) ?>
<? else: ?>
<span class="action-menu-no-icon"></span>
<button type="submit" name="<?= htmlReady($action['name']) ?>" style="display: none;"></button>
--
GitLab