diff options
author | Andrew Dolgov <[email protected]> | 2020-09-15 16:59:11 +0300 |
---|---|---|
committer | Andrew Dolgov <[email protected]> | 2020-09-15 16:59:11 +0300 |
commit | 154417d80b9f1ffb9d5d9fcbe2e6ab1dd15159bd (patch) | |
tree | 184c060c78dadf9fc50b6512a74ec31789d67162 /js/App.js | |
parent | cbcb10a272ef8c46360da301e1bbbd4979d6f106 (diff) |
public/logout: require valid CSRF token
Diffstat (limited to 'js/App.js')
-rw-r--r-- | js/App.js | 24 |
1 files changed, 23 insertions, 1 deletions
@@ -127,6 +127,28 @@ const App = { } ); }, + postCurrentWindow: function(target, params) { + const form = document.createElement("form"); + + form.setAttribute("method", "post"); + form.setAttribute("action", App.getInitParam("self_url_prefix") + "/" + target); + + for (const [k,v] of Object.entries(params)) { + const field = document.createElement("input"); + + field.setAttribute("name", k); + field.setAttribute("value", v); + field.setAttribute("type", "hidden"); + + form.appendChild(field); + } + + document.body.appendChild(form); + + form.submit(); + + form.parentNode.removeChild(form); + }, postOpenWindow: function(target, params) { const w = window.open(""); @@ -1143,7 +1165,7 @@ const App = { document.location.href = "prefs.php"; break; case "qmcLogout": - document.location.href = "backend.php?op=logout"; + App.postCurrentWindow("public.php", {op: "logout", csrf_token: __csrf_token}); break; case "qmcTagCloud": this.displayDlg(__("Tag cloud"), "printTagCloud"); |