diff --git a/backend.php b/backend.php index 1bbeec2bd..8cdeafdb7 100644 --- a/backend.php +++ b/backend.php @@ -12,8 +12,7 @@ /* Public calls compatibility shim */ - $public_calls = array("globalUpdateFeeds", "rss", "getUnread", "getProfiles", "share", - "fbexport", "logout", "pubsub"); + $public_calls = array("globalUpdateFeeds", "rss", "getUnread", "getProfiles", "share"); if (array_search($op, $public_calls) !== false) { header("Location: public.php?" . $_SERVER['QUERY_STRING']); diff --git a/classes/handler/public.php b/classes/handler/public.php index e4199a95e..8b1ce7127 100755 --- a/classes/handler/public.php +++ b/classes/handler/public.php @@ -283,8 +283,10 @@ class Handler_Public extends Handler { } function logout() { - logout_user(); - header("Location: index.php"); + if ($_POST["csrf_token"] == $_SESSION["csrf_token"]) { + logout_user(); + header("Location: index.php"); + } } function share() { diff --git a/js/App.js b/js/App.js index 1bf4ed881..af21cc97f 100644 --- a/js/App.js +++ b/js/App.js @@ -127,6 +127,28 @@ const App = { } ); }, + postCurrentWindow: function(target, params) { + const form = document.createElement("form"); + + form.setAttribute("method", "post"); + form.setAttribute("action", App.getInitParam("self_url_prefix") + "/" + target); + + for (const [k,v] of Object.entries(params)) { + const field = document.createElement("input"); + + field.setAttribute("name", k); + field.setAttribute("value", v); + field.setAttribute("type", "hidden"); + + form.appendChild(field); + } + + document.body.appendChild(form); + + form.submit(); + + form.parentNode.removeChild(form); + }, postOpenWindow: function(target, params) { const w = window.open(""); @@ -1143,7 +1165,7 @@ const App = { document.location.href = "prefs.php"; break; case "qmcLogout": - document.location.href = "backend.php?op=logout"; + App.postCurrentWindow("public.php", {op: "logout", csrf_token: __csrf_token}); break; case "qmcTagCloud": this.displayDlg(__("Tag cloud"), "printTagCloud");