summaryrefslogtreecommitdiff
path: root/lib
diff options
context:
space:
mode:
authorYorhel <git@yorhel.nl>2010-11-06 16:49:09 +0100
committerYorhel <git@yorhel.nl>2010-11-06 16:49:09 +0100
commit5f6845d76c1ed3cbfea73b004940749f64dab972 (patch)
tree98477dd8dcd001bd1c670dc74bf9adcb1b5a66be /lib
parente625403d6108b3f95361ece3c4311dae88747107 (diff)
URL change: /u/logout => /u$id/logout
Also fixes a cross-site request forgery vulnerability. Not as strong as the others but it's not very crucial anyway.
Diffstat (limited to 'lib')
-rw-r--r--lib/VNDB/Handler/Users.pm7
-rw-r--r--lib/VNDB/Util/LayoutHTML.pm2
2 files changed, 6 insertions, 3 deletions
diff --git a/lib/VNDB/Handler/Users.pm b/lib/VNDB/Handler/Users.pm
index 7812606f..70b1ea71 100644
--- a/lib/VNDB/Handler/Users.pm
+++ b/lib/VNDB/Handler/Users.pm
@@ -10,7 +10,7 @@ use VNDB::Func;
YAWF::register(
qr{u([1-9]\d*)} => \&userpage,
qr{u/login} => \&login,
- qr{u/logout} => \&logout,
+ qr{u([1-9]\d*)/logout} => \&logout,
qr{u/newpass} => \&newpass,
qr{u/newpass/sent} => \&newpass_sent,
qr{u/register} => \&register,
@@ -155,7 +155,10 @@ sub login {
sub logout {
- shift->authLogout;
+ my $self = shift;
+ my $uid = shift;
+ return 404 if !$self->authInfo->{id} || $self->authInfo->{id} != $uid;
+ $self->authLogout;
}
diff --git a/lib/VNDB/Util/LayoutHTML.pm b/lib/VNDB/Util/LayoutHTML.pm
index eb086bcd..93a35e0e 100644
--- a/lib/VNDB/Util/LayoutHTML.pm
+++ b/lib/VNDB/Util/LayoutHTML.pm
@@ -94,7 +94,7 @@ sub _menu {
a href => '/v/new', mt '_menu_addvn'; br;
a href => '/p/new', mt '_menu_addproducer'; br;
br;
- a href => '/u/logout', mt '_menu_logout';
+ a href => "$uid/logout", mt '_menu_logout';
end;
} else {
h2;