From 8f033911030d26759c327145403f91ac6b1c5e66 Mon Sep 17 00:00:00 2001 From: Amir Sarabadani Date: Thu, 25 Apr 2019 13:23:09 +0200 Subject: [PATCH] Turn logout link into a POST API call with refresh It's better to get rid of any GET request with csrf token Bug: T25227 Change-Id: I76464c750945d07a283b99b449f137593c685f02 --- languages/i18n/en.json | 2 ++ languages/i18n/qqq.json | 2 ++ resources/Resources.php | 6 ++++++ resources/src/mediawiki.page.ready.js | 23 +++++++++++++++++++++++ 4 files changed, 33 insertions(+) diff --git a/languages/i18n/en.json b/languages/i18n/en.json index 15edfc0160..a08a1ae834 100644 --- a/languages/i18n/en.json +++ b/languages/i18n/en.json @@ -388,6 +388,8 @@ "virus-scanfailed": "scan failed (code $1)", "virus-unknownscanner": "unknown antivirus:", "logouttext": "You are now logged out.\n\nNote that some pages may continue to be displayed as if you were still logged in, until you clear your browser cache.", + "logging-out-notify": "You are being logged out, please wait.", + "logout-failed": "Cannot log out now: $1", "cannotlogoutnow-title": "Cannot log out now", "cannotlogoutnow-text": "Logging out is not possible when using $1.", "welcomeuser": "Welcome, $1!", diff --git a/languages/i18n/qqq.json b/languages/i18n/qqq.json index 972e37af61..d807ad58d9 100644 --- a/languages/i18n/qqq.json +++ b/languages/i18n/qqq.json @@ -595,6 +595,8 @@ "virus-scanfailed": "Used as error message. \"scan\" stands for \"virus scan\". Parameters:\n* $1 - exit code of virus scanner", "virus-unknownscanner": "Used as error message. This message is followed by the virus scanner name.", "logouttext": "Log out message. Parameters:\n* $1 - (Unused) an URL to [[Special:Userlogin]] containing returnto and returntoquery parameters", + "logging-out-notify": "The message when the user is being logged out", + "logout-failed": "Message when log out fails in notification popup. Parameters:\n* $1 - Error message", "cannotlogoutnow-title": "Error page title shown when logging out is not possible.", "cannotlogoutnow-text": "Error page text shown when logging out is not possible. Parameters:\n* $1 - Session type in use that makes it not possible to log out, from a message like {{msg-mw|sessionprovider-mediawiki-session-cookiesessionprovider}}.", "welcomeuser": "Text for a welcome heading that users see after registering a user account.\n\nParameters:\n* $1 - the username of the new user. See [[phab:T44215]]", diff --git a/resources/Resources.php b/resources/Resources.php index 6b0b233f4c..4c359ee727 100644 --- a/resources/Resources.php +++ b/resources/Resources.php @@ -1704,8 +1704,14 @@ return [ 'dependencies' => [ 'jquery.accessKeyLabel', 'jquery.checkboxShiftClick', + 'mediawiki.notify', + 'mediawiki.api' ], 'targets' => [ 'desktop', 'mobile' ], + 'messages' => [ + 'logout-failed', + 'logging-out-notify' + ] ], 'mediawiki.page.startup' => [ 'scripts' => 'resources/src/mediawiki.page.startup.js', diff --git a/resources/src/mediawiki.page.ready.js b/resources/src/mediawiki.page.ready.js index 12009d1010..630e3a6465 100644 --- a/resources/src/mediawiki.page.ready.js +++ b/resources/src/mediawiki.page.ready.js @@ -53,6 +53,29 @@ window.print(); e.preventDefault(); } ); + + // Turn logout to a POST action + $( '#pt-logout a' ).on( 'click', function ( e ) { + var api = new mw.Api(), returnUrl; + returnUrl = $( '#pt-logout a' ).attr( 'href' ); + mw.notify( + mw.message( 'logging-out-notify' ), + { tag: 'logout', autoHide: false } + ); + api.postWithToken( 'csrf', { + action: 'logout' + } ).done( function () { + // Horrible hack until deprecation of logoutToken in GET is done + returnUrl = returnUrl.replace( /logoutToken=.+?($|&)/g, 'logoutToken=%2B%5C' ); + window.location = returnUrl; + } ).fail( function ( e ) { + mw.notify( + mw.message( 'logout-failed', e ), + { type: 'error', tag: 'logout', autoHide: false } + ); + } ); + e.preventDefault(); + } ); } ); }() ); -- 2.20.1