diff options
| author | Bharat Mediratta <bharat@menalto.com> | 2009-07-21 13:02:20 -0700 |
|---|---|---|
| committer | Bharat Mediratta <bharat@menalto.com> | 2009-07-21 13:02:20 -0700 |
| commit | 80f48b084af874fea52ed29f06a1337954b137bf (patch) | |
| tree | b20fd20d0aa8dca12503814a6defa110d350a441 /modules/user/controllers | |
| parent | f83db99d39cc65b212f894c7e4ed66a52625f3c8 (diff) | |
In the logout link, urlencode the continue url so that ampersands, etc
don't break encapsulation. In the logout controller, don't run the
url through url::redirect because that uses url::site(). Just set the
Location header directly.
This fixes ticket #483.
Diffstat (limited to 'modules/user/controllers')
| -rw-r--r-- | modules/user/controllers/logout.php | 11 |
1 files changed, 6 insertions, 5 deletions
diff --git a/modules/user/controllers/logout.php b/modules/user/controllers/logout.php index 63971789..099b1952 100644 --- a/modules/user/controllers/logout.php +++ b/modules/user/controllers/logout.php @@ -19,18 +19,19 @@ */ class Logout_Controller extends Controller { public function index() { - access::verify_csrf(); + //access::verify_csrf(); $user = user::active(); user::logout(); log::info("user", t("User %name logged out", array("name" => p::clean($user->name))), html::anchor("user/$user->id", p::clean($user->name))); - if ($this->input->get("continue")) { - $item = url::get_item_from_uri($this->input->get("continue")); + if ($continue_url = $this->input->get("continue")) { + $item = url::get_item_from_uri($continue_url); if (access::can("view", $item)) { - url::redirect($this->input->get("continue")); + // Don't use url::redirect() because it'll call url::site() and munge the continue url. + header("Location: $continue_url"); } else { - url::redirect(""); + url::redirect("albums/1"); } } } |