From 5156eb4d51a56c0af6f4acf1000b496e9578731a Mon Sep 17 00:00:00 2001 From: Tim Kelty Date: Mon, 18 Feb 2019 14:35:49 -0500 Subject: [PATCH 1/2] Return new CSRF values in JSON response for login/logout. Fixes #3858 --- src/controllers/UsersController.php | 20 ++++++++++++++++---- 1 file changed, 16 insertions(+), 4 deletions(-) diff --git a/src/controllers/UsersController.php b/src/controllers/UsersController.php index 41e62c94c4d..a624b3e8684 100644 --- a/src/controllers/UsersController.php +++ b/src/controllers/UsersController.php @@ -263,9 +263,15 @@ public function actionLogout(): Response Craft::$app->getUser()->logout(false); if (Craft::$app->getRequest()->getAcceptsJson()) { - return $this->asJson([ + $return = [ 'success' => true - ]); + ]; + + if (Craft::$app->getConfig()->getGeneral()->enableCsrfProtection) { + $return['csrfTokenValue'] = Craft::$app->getRequest()->getCsrfToken(); + } + + return $this->asJson($return); } // Redirect to the login page if this is a CP request @@ -1632,10 +1638,16 @@ private function _handleSuccessfulLogin(bool $setNotice): Response // If this was an Ajax request, just return success:true if (Craft::$app->getRequest()->getAcceptsJson()) { - return $this->asJson([ + $return = [ 'success' => true, 'returnUrl' => $returnUrl - ]); + ]; + + if (Craft::$app->getConfig()->getGeneral()->enableCsrfProtection) { + $return['csrfTokenValue'] = Craft::$app->getRequest()->getCsrfToken(); + } + + return $this->asJson($return); } if ($setNotice) { From 00cb6562ae53534b5eb463d22ed4d110773e0d46 Mon Sep 17 00:00:00 2001 From: Brandon Kelly Date: Tue, 19 Feb 2019 11:13:49 -0800 Subject: [PATCH 2/2] $request --- src/controllers/UsersController.php | 10 ++++++---- 1 file changed, 6 insertions(+), 4 deletions(-) diff --git a/src/controllers/UsersController.php b/src/controllers/UsersController.php index a624b3e8684..5575cc9a0b0 100644 --- a/src/controllers/UsersController.php +++ b/src/controllers/UsersController.php @@ -262,13 +262,14 @@ public function actionLogout(): Response // Passing false here for reasons. Craft::$app->getUser()->logout(false); - if (Craft::$app->getRequest()->getAcceptsJson()) { + $request = Craft::$app->getRequest(); + if ($request->getAcceptsJson()) { $return = [ 'success' => true ]; if (Craft::$app->getConfig()->getGeneral()->enableCsrfProtection) { - $return['csrfTokenValue'] = Craft::$app->getRequest()->getCsrfToken(); + $return['csrfTokenValue'] = $request->getCsrfToken(); } return $this->asJson($return); @@ -1637,14 +1638,15 @@ private function _handleSuccessfulLogin(bool $setNotice): Response $userSession->removeReturnUrl(); // If this was an Ajax request, just return success:true - if (Craft::$app->getRequest()->getAcceptsJson()) { + $request = Craft::$app->getRequest(); + if ($request->getAcceptsJson()) { $return = [ 'success' => true, 'returnUrl' => $returnUrl ]; if (Craft::$app->getConfig()->getGeneral()->enableCsrfProtection) { - $return['csrfTokenValue'] = Craft::$app->getRequest()->getCsrfToken(); + $return['csrfTokenValue'] = $request->getCsrfToken(); } return $this->asJson($return);