Logout: Use a POST form as it's a stateful action

author: Daniel Friesel <derf@finalrewind.org> 2019-03-08 16:54:54 +0100
committer: Daniel Friesel <derf@finalrewind.org> 2019-03-08 16:54:54 +0100
commit: bf4ccb0eabe0f4258bc174a83dfba318d0212af1 (patch)
tree: 1e655374478df55eea4a1a21c6af4a2e69331ec7
parent: fd608391164ddc9e55e2f383620d395b43ae99b7 (diff)
2 files changed, 11 insertions, 1 deletions
diff --git a/index.pl b/index.pl
index 69d1079..6331d45 100755
--- a/index.pl
+++ b/index.pl
@@ -1176,6 +1176,10 @@ get '/export.json' => sub {
 
 post '/logout' => sub {
 	my ($self) = @_;
+	if ( $self->validation->csrf_protect->has_error('csrf_token') ) {
+		$self->render( 'login', invalid => 'csrf' );
+		return;
+	}
 	$self->logout;
 	$self->redirect_to('/login');
 };
diff --git a/templates/login.html.ep b/templates/login.html.ep
index f85ba91..23d3259 100644
--- a/templates/login.html.ep
+++ b/templates/login.html.ep
@@ -7,7 +7,13 @@
 					<p>
 						Du bist bereits angemeldet. Falls du mehrere Accounts hast
 						und auf einen anderen wechseln möchtest, musst du dich
-						vorher <a href="/logout">abmelden</a>.
+						vorher
+						%= form_for 'logout' => begin
+							%= csrf_field
+							<button class="btn waves-effect waves-light" type="submit" name="action" value="logout">
+								Abmelden
+							</button>
+						%= end
 					</p>
 				</div>
 			</div>
author	Daniel Friesel <derf@finalrewind.org>	2019-03-08 16:54:54 +0100
committer	Daniel Friesel <derf@finalrewind.org>	2019-03-08 16:54:54 +0100
commit	bf4ccb0eabe0f4258bc174a83dfba318d0212af1 (patch)
tree	1e655374478df55eea4a1a21c6af4a2e69331ec7
parent	fd608391164ddc9e55e2f383620d395b43ae99b7 (diff)