Use HTTP POST for logout (#7489)

* Use HTTP POST for logout To avoid potential CSRF risks * Fixed button font issue * Minor whitespace
author: Alexandre Alapetite <alexandre@alapetite.fr> 2025-04-05 23:15:37 +0200
committer: GitHub <noreply@github.com> 2025-04-05 23:15:37 +0200
commit: d858053a7c70b3fee0fe407420ff8bd1466d5de2 (patch)
tree: 68e6237aff1f290361e21024a2a35476a6a88888 /app/Controllers/authController.php
parent: 711a14fd9ccea0a5b3c68dfa20fc34e558823f40 (diff)
1 files changed, 7 insertions, 3 deletions
diff --git a/app/Controllers/authController.php b/app/Controllers/authController.php
index 9bad837f9..4de8d01f1 100644
--- a/app/Controllers/authController.php
+++ b/app/Controllers/authController.php
@@ -223,9 +223,13 @@ class FreshRSS_auth_Controller extends FreshRSS_ActionController {
 	 * This action removes all accesses of the current user.
 	 */
 	public function logoutAction(): void {
-		invalidateHttpCache();
-		FreshRSS_Auth::removeAccess();
-		Minz_Request::good(_t('feedback.auth.logout.success'), [ 'c' => 'index', 'a' => 'index' ]);
+		if (Minz_Request::isPost()) {
+			invalidateHttpCache();
+			FreshRSS_Auth::removeAccess();
+			Minz_Request::good(_t('feedback.auth.logout.success'), [ 'c' => 'index', 'a' => 'index' ]);
+		} else {
+			Minz_Error::error(403);
+		}
 	}
 
 	/**
author	Alexandre Alapetite <alexandre@alapetite.fr>	2025-04-05 23:15:37 +0200
committer	GitHub <noreply@github.com>	2025-04-05 23:15:37 +0200
commit	d858053a7c70b3fee0fe407420ff8bd1466d5de2 (patch)
tree	68e6237aff1f290361e21024a2a35476a6a88888 /app/Controllers/authController.php
parent	711a14fd9ccea0a5b3c68dfa20fc34e558823f40 (diff)