Skip to content

docs: add logout to session except list #921

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 2 commits into from
Oct 21, 2023
Merged

docs: add logout to session except list #921

merged 2 commits into from
Oct 21, 2023

Conversation

@datamweb
Copy link
Collaborator

@datamweb datamweb commented Oct 19, 2023
edited
Loading

Description
The duty of session is to protect URLs. I think devs should know that there is no reason to protect logout. That's why I think we don't need to change the code.
I have already added this topic #642 .

fix #920

Checklist:

  • Securely signed commits
  • Component(s) with PHPDoc blocks, only if necessary or adds value
  • Unit testing, with >80% coverage
  • User guide updated
  • Conforms to style guide

@datamweb datamweb added the documentation Improvements or additions to documentation label Oct 19, 2023
@datamweb
Copy link
Collaborator Author

datamweb commented Oct 19, 2023

Also, there is no reason for a user who is not logged in to have access to /logout.
This issue must be resolved.

/**
* Logs the current user out.
*/
public function logoutAction(): RedirectResponse
{
+// block route logout if see beforlogin
+if (!auth()->loggedIn()) {
+throw PageNotFoundException::forPageNotFound();
+}
// Capture logout redirect URL before auth logout,
// otherwise you cannot check the user in `logoutRedirect()`.
$url = config('Auth')->logoutRedirect();

auth()->logout();

return redirect()->to($url)->with('message', lang('Auth.successLogout'));
}

shield/src/Controllers/LoginController.php

Lines 91 to 100 in 50fb634

public function logoutAction(): RedirectResponse
{
// Capture logout redirect URL before auth logout,
// otherwise you cannot check the user in `logoutRedirect()`.
$url = config('Auth')->logoutRedirect();
auth()->logout();
return redirect()->to($url)->with('message', lang('Auth.successLogout'));
}

@datamweb datamweb mentioned this pull request Oct 19, 2023
Closed
5 tasks
@datamweb datamweb requested a review from kenjis October 20, 2023 00:25
@datamweb datamweb merged commit 2d7cd7c into codeigniter4:develop Oct 21, 2023
@datamweb datamweb deleted the docs-add-logout-to-except branch October 21, 2023 07:35
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@kenjis kenjis kenjis approved these changes

Assignees

No one assigned

Labels

documentation Improvements or additions to documentation

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Bug: cannot login after logging out from url

2 participants

@datamweb @kenjis