Handle nonce in admin logout too

2026-05-06 01:57:37 +02:00 · 2015-11-17 11:56:21 +01:00
parent 01c5c6af40
commit d2763660fe
2 changed files with 11 additions and 3 deletions
--- a/classes/controller.php
+++ b/classes/controller.php
@@ -86,12 +86,20 @@ class AdminController
     */
    public function execute()
    {
-        if (strtolower($_SERVER['REQUEST_METHOD']) == 'post') {
-            if (method_exists('Grav\Common\Utils', 'getNonce')) {
+        if (method_exists('Grav\Common\Utils', 'getNonce')) {
+            if (strtolower($_SERVER['REQUEST_METHOD']) == 'post') {
                if (!isset($this->post['admin-nonce']) || !Utils::verifyNonce($this->post['admin-nonce'], 'admin-form')) {
                    $this->admin->setMessage('Unauthorized', 'error');
                    return false;
                }
+            } else {
+               if ($this->task == 'logout') {
+                    $nonce = $this->grav['uri']->param('logout-nonce');
+                    $nonce = str_replace('SLASH', '/', $nonce);
+                    if (!isset($nonce) || !Utils::verifyNonce($nonce, 'logout-form')) {
+                        return;
+                    }
+                }
            }
        }

--- a/themes/grav/templates/partials/nav.html.twig
+++ b/themes/grav/templates/partials/nav.html.twig
@@ -81,7 +81,7 @@
            </a>
        </li> -->
        <li>
-            <a href="{{ base_url_relative }}/task{{ config.system.param_sep }}logout"><i class="fa fa-fw fa-sign-out"></i> {{ "PLUGIN_ADMIN.LOGOUT"|tu }}</a>
+            <a href="{{ uri.addNonce(base_url_relative ~ '/task' ~ config.system.param_sep ~ 'logout', 'logout-form', 'logout-nonce') }}"><i class="fa fa-fw fa-sign-out"></i> {{ "PLUGIN_ADMIN.LOGOUT"|tu }}</a>
        </li>
    </ul>
 </nav>