Add log out confirmation if CSRF token is invalid. fixes #1282

framework/core/src/Forum/Controller/LogOutController.php

@@ -18,8 +18,11 @@ use Flarum\Http\Controller\ControllerInterface;
 use Flarum\Http\Exception\TokenMismatchException;
 use Flarum\Http\Rememberer;
 use Flarum\Http\SessionAuthenticator;
+use Flarum\Settings\SettingsRepositoryInterface;
 use Illuminate\Contracts\Events\Dispatcher;
+use Illuminate\Contracts\View\Factory;
 use Psr\Http\Message\ServerRequestInterface as Request;
+use Zend\Diactoros\Response\HtmlResponse;
 use Zend\Diactoros\Response\RedirectResponse;
 
 class LogOutController implements ControllerInterface
@@ -46,18 +49,38 @@ class LogOutController implements ControllerInterface
      */
     protected $rememberer;
 
+    /**
+     * @var Factory
+     */
+    protected $view;
+
+    /**
+     * @var SettingsRepositoryInterface
+     */
+    protected $settings;
+
     /**
      * @param Application $app
      * @param Dispatcher $events
      * @param SessionAuthenticator $authenticator
      * @param Rememberer $rememberer
+     * @param Factory $view
+     * @param SettingsRepositoryInterface $settings
      */
-    public function __construct(Application $app, Dispatcher $events, SessionAuthenticator $authenticator, Rememberer $rememberer)
+    public function __construct(
-    {
+        Application $app,
+        Dispatcher $events,
+        SessionAuthenticator $authenticator,
+        Rememberer $rememberer,
+        Factory $view,
+        SettingsRepositoryInterface $settings
+    ) {
         $this->app = $app;
         $this->events = $events;
         $this->authenticator = $authenticator;
         $this->rememberer = $rememberer;
+        $this->view = $view;
+        $this->settings = $settings;
     }
 
     /**
@@ -68,17 +91,27 @@ class LogOutController implements ControllerInterface
     public function handle(Request $request)
     {
         $session = $request->getAttribute('session');
-
-        if (array_get($request->getQueryParams(), 'token') !== $session->get('csrf_token')) {
-            throw new TokenMismatchException;
-        }
-
         $actor = $request->getAttribute('actor');
 
-        $this->assertRegistered($actor);
-
         $url = array_get($request->getQueryParams(), 'return', $this->app->url());
 
+        // If there is no user logged in, return to the index.
+        if ($actor->isGuest()) {
+            return new RedirectResponse($url);
+        }
+
+        // If a valid CSRF token hasn't been provided, show a view which will
+        // allow the user to press a button to complete the log out process.
+        $csrfToken = $session->get('csrf_token');
+
+        if (array_get($request->getQueryParams(), 'token') !== $csrfToken) {
+            $view = $this->view->make('flarum.forum::log-out')
+                ->with('csrfToken', $csrfToken)
+                ->with('forumTitle', $this->settings->get('forum_title'));
+
+            return new HtmlResponse($view->render());
+        }
+
         $response = new RedirectResponse($url);
 
         $this->authenticator->logOut($session);

framework/core/views/log-out.blade.php

@@ -0,0 +1,14 @@
+@extends('flarum.forum::layouts.basic')
+@inject('url', 'Flarum\Forum\UrlGenerator')
+
+@section('title', $translator->trans('core.views.log_out.title'))
+
+@section('content')
+  <p>{{ $translator->trans('core.views.log_out.log_out_confirmation', ['{forum}' => $forumTitle]) }}</p>
+
+  <p>
+    <a href="{{ $url->toRoute('logout') }}?token={{ $csrfToken }}" class="button">
+      {{ $translator->trans('core.views.log_out.log_out_button') }}
+    </a>
+  </p>
+@endsection