Require the session ID to log somebody out - if it isn't given we just

show a confirmation page. Closes #2792.

diff --git a/app/controllers/user_controller.rb b/app/controllers/user_controller.rb
index db8a509bd1f30aa62537d69c8cfa1b9b93b84069..9551ac6d8fbdd1e21524a6d1f7065f079c7618b9 100644 (file)
--- a/app/controllers/user_controller.rb
+++ b/app/controllers/user_controller.rb
@@ -182,19 +182,23 @@ class UserController < ApplicationController
   end
 
   def logout
-    if session[:token]
-      token = UserToken.find_by_token(session[:token])
-      if token
-        token.destroy
+    @title = t 'user.logout.title'
+
+    if params[:session] == request.session_options[:id]
+      if session[:token]
+        token = UserToken.find_by_token(session[:token])
+        if token
+          token.destroy
+        end
+        session[:token] = nil
+      end
+      session[:user] = nil
+      session_expires_automatically
+      if params[:referer]
+        redirect_to params[:referer]
+      else
+        redirect_to :controller => 'site', :action => 'index'
       end
-      session[:token] = nil
-    end
-    session[:user] = nil
-    session_expires_automatically
-    if params[:referer]
-      redirect_to params[:referer]
-    else
-      redirect_to :controller => 'site', :action => 'index'
     end
   end
 

diff --git a/app/views/layouts/site.html.erb b/app/views/layouts/site.html.erb
index 7ee3cf9382c1f25ed0051912339ab1083df4de85..9fdee1eec9accf4fe0b470b60135c6367aa3b5ec 100644 (file)
--- a/app/views/layouts/site.html.erb
+++ b/app/views/layouts/site.html.erb
@@ -42,7 +42,7 @@
         inbox_attributes[:title] = t 'layouts.inbox_tooltip', :count => @user.new_messages.size
         %>
         <%= link_to t('layouts.inbox', :count => @user.new_messages.size), {:controller => 'message', :action => 'inbox', :display_name => @user.display_name}, inbox_attributes %> |
-        <%= link_to t('layouts.logout'), {:controller => 'user', :action => 'logout', :referer => request.request_uri}, {:id => 'logoutanchor', :title => t('layouts.logout_tooltip')}%>
+        <%= link_to t('layouts.logout'), {:controller => 'user', :action => 'logout', :session => request.session_options[:id], :referer => request.request_uri}, {:id => 'logoutanchor', :title => t('layouts.logout_tooltip'), :method => :post, :href => url_for(:controller => 'user', :action => 'logout', :referer => request.request_uri)}%>
       <% else %>
         <%= link_to t('layouts.log_in'), {:controller => 'user', :action => 'login', :referer => request.request_uri}, {:id => 'loginanchor', :title => t('layouts.log_in_tooltip')} %> |
         <%= link_to t('layouts.sign_up'), {:controller => 'user', :action => 'new'}, {:id => 'registeranchor', :title => t('layouts.sign_up_tooltip')} %>

diff --git a/app/views/user/logout.html.erb b/app/views/user/logout.html.erb
new file mode 100644 (file)
index 0000000..e6d0dec
--- /dev/null
+++ b/app/views/user/logout.html.erb
@@ -0,0 +1,6 @@
+<h1><%= t 'user.logout.heading' %></h1>
+<% form_tag :action => "logout" do %>
+  <%= hidden_field_tag("referer", h(params[:referer])) %>
+  <%= hidden_field_tag("session", request.session_options[:id]) %>
+  <%= submit_tag t('user.logout.logout_button') %>
+<% end %>

diff --git a/config/locales/en.yml b/config/locales/en.yml
index 1c6b0df7eff422a712217b8727ae1eb43a5e08f9..8699d600cf0420e5775fe87f17c2d6356b291ed9 100644 (file)
--- a/config/locales/en.yml
+++ b/config/locales/en.yml
@@ -1367,6 +1367,10 @@ en:
       login_button: "Login"
       account not active: "Sorry, your account is not active yet.<br />Please click on the link in the account confirmation email to activate your account."
       auth failure: "Sorry, could not log in with those details."
+    logout:
+      title: "Logout"
+      heading: "Logout from OpenStreetMap"
+      logout_button: "Logout"      
     lost_password:
       title: "Lost password"
       heading: "Forgotten Password?"