[Admin] Logout action should use POST method

damijank · Dec 9, 2021 · 3088cec · 3088cec
1 parent 34ed0e0
commit 3088cec
Show file tree

Hide file tree

Showing 3 changed files with 16 additions and 5 deletions.
diff --git a/bundles/AdminBundle/Controller/Admin/LoginController.php b/bundles/AdminBundle/Controller/Admin/LoginController.php
@@ -145,7 +145,7 @@ public function csrfTokenAction(Request $request, CsrfProtectionHandler $csrfPro
     }
 
     /**
-     * @Route("/logout", name="pimcore_admin_logout")
+     * @Route("/logout", name="pimcore_admin_logout" , methods={"POST"})
      */
     public function logoutAction()
     {

diff --git a/bundles/AdminBundle/Resources/views/Admin/Index/index.html.twig b/bundles/AdminBundle/Resources/views/Admin/Index/index.html.twig
@@ -145,9 +145,15 @@
     <div id="pimcore_avatar" style="display:none;">
         <img src="{{ path('pimcore_admin_user_getimage') }}" data-menu-tooltip="{{ user.name }} | {{ 'my_profile'|trans([],'admin') }}"/>
     </div>
-    <a id="pimcore_logout" data-menu-tooltip="{{ "logout"|trans([],'admin') }}" href="{{ path('pimcore_admin_logout') }}" style="display: none">
-        <img src="/bundles/pimcoreadmin/img/material-icons/outline-logout-24px.svg">
-    </a>
+
+    <form id="pimcore_logout_form" method="post" action="{{ path('pimcore_admin_logout') }}">
+        <input type="hidden" name="csrfToken" value="{{ pimcore_csrf.getCsrfToken() }}">
+
+        <a id="pimcore_logout" data-menu-tooltip="{{ "logout"|trans([],'admin') }}"
+           href="#" onclick="document.getElementById('pimcore_logout_form').submit();" style="display: none">
+            <img src="/bundles/pimcoreadmin/img/material-icons/outline-logout-24px.svg">
+        </a>
+    </form>
     <div id="pimcore_signet" data-menu-tooltip="Pimcore Platform ({{ settings.version }}|{{ settings.build }})" style="text-indent: -10000px">
         BE RESPECTFUL AND HONOR OUR WORK FOR FREE & OPEN SOURCE SOFTWARE BY NOT REMOVING OUR LOGO.
         WE OFFER YOU THE POSSIBILITY TO ADDITIONALLY ADD YOUR OWN LOGO IN PIMCORE'S SYSTEM SETTINGS. THANK YOU!

diff --git a/bundles/AdminBundle/Resources/views/Admin/Login/twoFactorAuthentication.html.twig b/bundles/AdminBundle/Resources/views/Admin/Login/twoFactorAuthentication.html.twig
@@ -18,7 +18,12 @@
         <button type="submit">{{ 'Login'|trans([],'admin') }}</button>
     </form>
 
-    <a href="{{ path('pimcore_admin_logout') }}">{{ 'Back to Login'|trans([],'admin') }}</a>
+    <form id="pimcore_logout_form" method="post" action="{{ path('pimcore_admin_logout') }}">
+        <input type="hidden" name="csrfToken" value="{{ pimcore_csrf.getCsrfToken() }}">
+        <a href="#" onclick="document.getElementById('pimcore_logout_form').submit();">{{ 'Back to Login'|trans([],'admin') }}</a>
+    </form>
+
+
 
     {{ pimcore_breach_attack_random_content() }}
 {% endblock %}
-Original file line number
+Diff line change
@@ Expand Up @@
         }
         /**
-         * @Route("/logout", name="pimcore_admin_logout")
+         * @Route("/logout", name="pimcore_admin_logout" , methods={"POST"})
          */
         public function logoutAction()
         {
@@ Expand Down @@