public/logout: require valid CSRF token

author: Andrew Dolgov <[email protected]> 2020-09-15 16:59:11 +0300
committer: Andrew Dolgov <[email protected]> 2020-09-15 16:59:11 +0300
commit: 154417d80b9f1ffb9d5d9fcbe2e6ab1dd15159bd (patch)
tree: 184c060c78dadf9fc50b6512a74ec31789d67162 /js/App.js
parent: cbcb10a272ef8c46360da301e1bbbd4979d6f106 (diff)
1 files changed, 23 insertions, 1 deletions
diff --git a/js/App.js b/js/App.js
index 1bf4ed881..af21cc97f 100644
--- a/js/App.js
+++ b/js/App.js
@@ -127,6 +127,28 @@ const App = {
 			}
 		);
    },
+   postCurrentWindow: function(target, params) {
+      const form = document.createElement("form");
+
+      form.setAttribute("method", "post");
+      form.setAttribute("action", App.getInitParam("self_url_prefix") + "/" + target);
+
+      for (const [k,v] of Object.entries(params)) {
+         const field = document.createElement("input");
+
+         field.setAttribute("name", k);
+         field.setAttribute("value", v);
+         field.setAttribute("type", "hidden");
+
+         form.appendChild(field);
+      }
+
+      document.body.appendChild(form);
+
+      form.submit();
+
+      form.parentNode.removeChild(form);
+   },
    postOpenWindow: function(target, params) {
       const w = window.open("");
 
@@ -1143,7 +1165,7 @@ const App = {
             document.location.href = "prefs.php";
             break;
          case "qmcLogout":
-            document.location.href = "backend.php?op=logout";
+            App.postCurrentWindow("public.php", {op: "logout", csrf_token: __csrf_token});
             break;
          case "qmcTagCloud":
             this.displayDlg(__("Tag cloud"), "printTagCloud");
author	Andrew Dolgov <[email protected]>	2020-09-15 16:59:11 +0300
committer	Andrew Dolgov <[email protected]>	2020-09-15 16:59:11 +0300
commit	154417d80b9f1ffb9d5d9fcbe2e6ab1dd15159bd (patch)
tree	184c060c78dadf9fc50b6512a74ec31789d67162 /js/App.js
parent	cbcb10a272ef8c46360da301e1bbbd4979d6f106 (diff)