From d2763660fe5722a22b6f5ea90d0487de66064830 Mon Sep 17 00:00:00 2001 From: Flavio Copes Date: Tue, 17 Nov 2015 11:56:21 +0100 Subject: [PATCH] Handle nonce in admin logout too --- classes/controller.php | 12 ++++++++++-- themes/grav/templates/partials/nav.html.twig | 2 +- 2 files changed, 11 insertions(+), 3 deletions(-) diff --git a/classes/controller.php b/classes/controller.php index 2fcad937..8fe6177c 100644 --- a/classes/controller.php +++ b/classes/controller.php @@ -86,12 +86,20 @@ class AdminController */ public function execute() { - if (strtolower($_SERVER['REQUEST_METHOD']) == 'post') { - if (method_exists('Grav\Common\Utils', 'getNonce')) { + if (method_exists('Grav\Common\Utils', 'getNonce')) { + if (strtolower($_SERVER['REQUEST_METHOD']) == 'post') { if (!isset($this->post['admin-nonce']) || !Utils::verifyNonce($this->post['admin-nonce'], 'admin-form')) { $this->admin->setMessage('Unauthorized', 'error'); return false; } + } else { + if ($this->task == 'logout') { + $nonce = $this->grav['uri']->param('logout-nonce'); + $nonce = str_replace('SLASH', '/', $nonce); + if (!isset($nonce) || !Utils::verifyNonce($nonce, 'logout-form')) { + return; + } + } } } diff --git a/themes/grav/templates/partials/nav.html.twig b/themes/grav/templates/partials/nav.html.twig index b1252f64..6777aeaf 100644 --- a/themes/grav/templates/partials/nav.html.twig +++ b/themes/grav/templates/partials/nav.html.twig @@ -81,7 +81,7 @@ -->
  • - {{ "PLUGIN_ADMIN.LOGOUT"|tu }} + {{ "PLUGIN_ADMIN.LOGOUT"|tu }}