Logout: Use a POST form as it's a stateful action

2024-11-10 06:54:17 +00:00 · 2019-03-08 16:54:54 +01:00 · 2019-03-08 16:54:54 +01:00 · bf4ccb0eab
commit bf4ccb0eab
parent fd60839116
2 changed files with 11 additions and 1 deletions
--- a/index.pl
+++ b/index.pl
@ -1176,6 +1176,10 @@ get '/export.json' => sub {

 post '/logout' => sub {
 	my ($self) = @_;
+	if ( $self->validation->csrf_protect->has_error('csrf_token') ) {
+		$self->render( 'login', invalid => 'csrf' );
+		return;
+	}
 	$self->logout;
 	$self->redirect_to('/login');
 };
--- a/templates/login.html.ep
+++ b/templates/login.html.ep
@ -7,7 +7,13 @@
 					<p>
 						Du bist bereits angemeldet. Falls du mehrere Accounts hast
 						und auf einen anderen wechseln möchtest, musst du dich
-						vorher <a href="/logout">abmelden</a>.
+						vorher
+						%= form_for 'logout' => begin
+							%= csrf_field
+							<button class="btn waves-effect waves-light" type="submit" name="action" value="logout">
+								Abmelden
+							</button>
+						%= end
 					</p>
 				</div>
 			</div>