From 3088cec7dc3cbc5a8b26f1269e398e799ee7ee28 Mon Sep 17 00:00:00 2001
From: dvesh3 <divesh.pahuja@pimcore.com>
Date: Thu, 9 Dec 2021 10:27:59 +0100
Subject: [PATCH] [Admin] Logout action should use POST method

---
 .../AdminBundle/Controller/Admin/LoginController.php |  2 +-
 .../Resources/views/Admin/Index/index.html.twig      | 12 +++++++++---
 .../Admin/Login/twoFactorAuthentication.html.twig    |  7 ++++++-
 3 files changed, 16 insertions(+), 5 deletions(-)

diff --git a/bundles/AdminBundle/Controller/Admin/LoginController.php b/bundles/AdminBundle/Controller/Admin/LoginController.php
index c81c04ee0b9..fc121ef5fb5 100644
--- a/bundles/AdminBundle/Controller/Admin/LoginController.php
+++ b/bundles/AdminBundle/Controller/Admin/LoginController.php
@@ -145,7 +145,7 @@ public function csrfTokenAction(Request $request, CsrfProtectionHandler $csrfPro
     }
 
     /**
-     * @Route("/logout", name="pimcore_admin_logout")
+     * @Route("/logout", name="pimcore_admin_logout" , methods={"POST"})
      */
     public function logoutAction()
     {
diff --git a/bundles/AdminBundle/Resources/views/Admin/Index/index.html.twig b/bundles/AdminBundle/Resources/views/Admin/Index/index.html.twig
index d92ea411306..dd8da3b82b3 100644
--- a/bundles/AdminBundle/Resources/views/Admin/Index/index.html.twig
+++ b/bundles/AdminBundle/Resources/views/Admin/Index/index.html.twig
@@ -145,9 +145,15 @@
     <div id="pimcore_avatar" style="display:none;">
         <img src="{{ path('pimcore_admin_user_getimage') }}" data-menu-tooltip="{{ user.name }} | {{ 'my_profile'|trans([],'admin') }}"/>
     </div>
-    <a id="pimcore_logout" data-menu-tooltip="{{ "logout"|trans([],'admin') }}" href="{{ path('pimcore_admin_logout') }}" style="display: none">
-        <img src="/bundles/pimcoreadmin/img/material-icons/outline-logout-24px.svg">
-    </a>
+
+    <form id="pimcore_logout_form" method="post" action="{{ path('pimcore_admin_logout') }}">
+        <input type="hidden" name="csrfToken" value="{{ pimcore_csrf.getCsrfToken() }}">
+
+        <a id="pimcore_logout" data-menu-tooltip="{{ "logout"|trans([],'admin') }}"
+           href="#" onclick="document.getElementById('pimcore_logout_form').submit();" style="display: none">
+            <img src="/bundles/pimcoreadmin/img/material-icons/outline-logout-24px.svg">
+        </a>
+    </form>
     <div id="pimcore_signet" data-menu-tooltip="Pimcore Platform ({{ settings.version }}|{{ settings.build }})" style="text-indent: -10000px">
         BE RESPECTFUL AND HONOR OUR WORK FOR FREE & OPEN SOURCE SOFTWARE BY NOT REMOVING OUR LOGO.
         WE OFFER YOU THE POSSIBILITY TO ADDITIONALLY ADD YOUR OWN LOGO IN PIMCORE'S SYSTEM SETTINGS. THANK YOU!
diff --git a/bundles/AdminBundle/Resources/views/Admin/Login/twoFactorAuthentication.html.twig b/bundles/AdminBundle/Resources/views/Admin/Login/twoFactorAuthentication.html.twig
index 2fa7e82b168..dab97371662 100644
--- a/bundles/AdminBundle/Resources/views/Admin/Login/twoFactorAuthentication.html.twig
+++ b/bundles/AdminBundle/Resources/views/Admin/Login/twoFactorAuthentication.html.twig
@@ -18,7 +18,12 @@
         <button type="submit">{{ 'Login'|trans([],'admin') }}</button>
     </form>
 
-    <a href="{{ path('pimcore_admin_logout') }}">{{ 'Back to Login'|trans([],'admin') }}</a>
+    <form id="pimcore_logout_form" method="post" action="{{ path('pimcore_admin_logout') }}">
+        <input type="hidden" name="csrfToken" value="{{ pimcore_csrf.getCsrfToken() }}">
+        <a href="#" onclick="document.getElementById('pimcore_logout_form').submit();">{{ 'Back to Login'|trans([],'admin') }}</a>
+    </form>
+
+
 
     {{ pimcore_breach_attack_random_content() }}
 {% endblock %}