From: Tom Hughes Date: Sun, 14 Mar 2010 15:29:53 +0000 (+0000) Subject: Require the session ID to log somebody out - if it isn't given we just X-Git-Tag: live~6290^2~37 X-Git-Url: https://git.openstreetmap.org/rails.git/commitdiff_plain/a7d304d20f171030d8a8c5f523c9039a02f832f2 Require the session ID to log somebody out - if it isn't given we just show a confirmation page. Closes #2792. --- diff --git a/app/controllers/user_controller.rb b/app/controllers/user_controller.rb index db8a509bd..9551ac6d8 100644 --- a/app/controllers/user_controller.rb +++ b/app/controllers/user_controller.rb @@ -182,19 +182,23 @@ class UserController < ApplicationController end def logout - if session[:token] - token = UserToken.find_by_token(session[:token]) - if token - token.destroy + @title = t 'user.logout.title' + + if params[:session] == request.session_options[:id] + if session[:token] + token = UserToken.find_by_token(session[:token]) + if token + token.destroy + end + session[:token] = nil + end + session[:user] = nil + session_expires_automatically + if params[:referer] + redirect_to params[:referer] + else + redirect_to :controller => 'site', :action => 'index' end - session[:token] = nil - end - session[:user] = nil - session_expires_automatically - if params[:referer] - redirect_to params[:referer] - else - redirect_to :controller => 'site', :action => 'index' end end diff --git a/app/views/layouts/site.html.erb b/app/views/layouts/site.html.erb index 7ee3cf938..9fdee1eec 100644 --- a/app/views/layouts/site.html.erb +++ b/app/views/layouts/site.html.erb @@ -42,7 +42,7 @@ inbox_attributes[:title] = t 'layouts.inbox_tooltip', :count => @user.new_messages.size %> <%= link_to t('layouts.inbox', :count => @user.new_messages.size), {:controller => 'message', :action => 'inbox', :display_name => @user.display_name}, inbox_attributes %> | - <%= link_to t('layouts.logout'), {:controller => 'user', :action => 'logout', :referer => request.request_uri}, {:id => 'logoutanchor', :title => t('layouts.logout_tooltip')}%> + <%= link_to t('layouts.logout'), {:controller => 'user', :action => 'logout', :session => request.session_options[:id], :referer => request.request_uri}, {:id => 'logoutanchor', :title => t('layouts.logout_tooltip'), :method => :post, :href => url_for(:controller => 'user', :action => 'logout', :referer => request.request_uri)}%> <% else %> <%= link_to t('layouts.log_in'), {:controller => 'user', :action => 'login', :referer => request.request_uri}, {:id => 'loginanchor', :title => t('layouts.log_in_tooltip')} %> | <%= link_to t('layouts.sign_up'), {:controller => 'user', :action => 'new'}, {:id => 'registeranchor', :title => t('layouts.sign_up_tooltip')} %> diff --git a/app/views/user/logout.html.erb b/app/views/user/logout.html.erb new file mode 100644 index 000000000..e6d0dec59 --- /dev/null +++ b/app/views/user/logout.html.erb @@ -0,0 +1,6 @@ +

<%= t 'user.logout.heading' %>

+<% form_tag :action => "logout" do %> + <%= hidden_field_tag("referer", h(params[:referer])) %> + <%= hidden_field_tag("session", request.session_options[:id]) %> + <%= submit_tag t('user.logout.logout_button') %> +<% end %> diff --git a/config/locales/en.yml b/config/locales/en.yml index 1c6b0df7e..8699d600c 100644 --- a/config/locales/en.yml +++ b/config/locales/en.yml @@ -1367,6 +1367,10 @@ en: login_button: "Login" account not active: "Sorry, your account is not active yet.
Please click on the link in the account confirmation email to activate your account." auth failure: "Sorry, could not log in with those details." + logout: + title: "Logout" + heading: "Logout from OpenStreetMap" + logout_button: "Logout" lost_password: title: "Lost password" heading: "Forgotten Password?"