Merge branch '6.1.6-U4-3619' into 6.2.0

2013-11-29 11:26:01 +11:00
parent 58fc51ae93 af29f61478
commit 250276bbd4
10 changed files with 64 additions and 37 deletions
--- a/src/Umbraco.Web.UI/install/Default.aspx.cs
+++ b/src/Umbraco.Web.UI/install/Default.aspx.cs
@@ -67,7 +67,9 @@ namespace Umbraco.Web.UI.Install
                
                if (result == ValidateRequestAttempt.FailedTimedOut || result == ValidateRequestAttempt.FailedNoPrivileges)
                {
-                    Response.Redirect(SystemDirectories.Umbraco + "/logout.aspx?redir=" + Server.UrlEncode(Request.RawUrl));
+                    Response.Redirect(
+                        //We must add the token to prevent CSRF attacks since the logout occurs on a GET not a POST
+                        SystemDirectories.Umbraco + "/logout.aspx?redir=" + Server.UrlEncode(Request.RawUrl) + "&t=" + Security.UmbracoUserContextId);
                }
            }

--- a/src/Umbraco.Web.UI/umbraco/logout.aspx
+++ b/src/Umbraco.Web.UI/umbraco/logout.aspx
@@ -1,21 +1,10 @@
-<%@ Page language="c#" Codebehind="logout.aspx.cs" AutoEventWireup="True" Inherits="umbraco.logout" %>
+<%@ Page language="c#" AutoEventWireup="True" Inherits="umbraco.logout" %>
 <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN" > 

 <html>
  <head>
-    <title>logout</title>
-    <meta name="GENERATOR" Content="Microsoft Visual Studio .NET 7.1">
-    <meta name="CODE_LANGUAGE" Content="C#">
-    <meta name=vs_defaultClientScript content="JavaScript">
-    <meta name=vs_targetSchema content="http://schemas.microsoft.com/intellisense/ie5">
+    <title>Logout</title>
  </head>
-  <body MS_POSITIONING="GridLayout">
-	
-    <form id="Form1" method="post" runat="server">
-		<script>
-			window.top.location.href='login.aspx?redir=<%=Server.UrlEncode(Request["redir"]) %>';
-		</script>
-     </form>
-	
+  <body>	
  </body>
 </html>
--- a/src/Umbraco.Web.UI/umbraco/umbraco.aspx
+++ b/src/Umbraco.Web.UI/umbraco/umbraco.aspx
@@ -91,14 +91,19 @@
                </div>
            </asp:Panel>
            <div class="topBarButtons">
+                
                <button onclick="UmbClientMgr.appActions().launchAbout();" class="topBarButton">
                    <img src="images/aboutNew.png" alt="about" /><span><%=umbraco.ui.Text("general", "about")%></span></button>
                <button onclick="UmbClientMgr.appActions().launchHelp('<%=UmbracoUser.Language%>', '<%=UmbracoUser.UserType.Name%>');"
                    class="topBarButton">
                    <img src="images/help.png" alt="Help" /><span><%=umbraco.ui.Text("general", "help")%></span></button>
-                <button onclick="UmbClientMgr.appActions().logout();" class="topBarButton">
-                    <img src="images/logout.png" alt="Log out" /><span><%=umbraco.ui.Text("general", "logout")%>:
-                        <%=UmbracoUser.Name%></span></button>
+                <form action="logout.aspx" method="get" style="display: inline;" >
+                    <button class="topBarButton" type="submit">
+                        <img src="images/logout.png" alt="Log out" />
+                        <span><%=umbraco.ui.Text("general", "logout")%>:<%=UmbracoUser.Name%></span>
+                    </button>
+                    <input type="hidden" value="<%=Security.UmbracoUserContextId %>" name="t" id="t"/>
+                </form>
            </div>
        </div>
    </div>
@@ -341,7 +346,7 @@
        function umbracoSessionLogout() {

            //alert('Session has expired on server - can\'t renew. Logging out!');
-            top.document.location.href = 'logout.aspx';
+            top.document.location.href = 'logout.aspx?t=<%=Security.UmbracoUserContextId%>';
        }

        function blink($target) {
--- a/src/Umbraco.Web.UI/umbraco_client/Application/UmbracoApplicationActions.js
+++ b/src/Umbraco.Web.UI/umbraco_client/Application/UmbracoApplicationActions.js
@@ -10,7 +10,7 @@ Umbraco.Application.Actions = function () {
    /// <summary>
    /// Application actions actions for the context menu, help dialogs, logout, etc...
    /// This class supports an event listener model. Currently the available events are:
-    /// "nodeDeleting","nodeDeleted","nodeRefresh","beforeLogout"
+    /// "nodeDeleting","nodeDeleted","nodeRefresh"
    /// </summary>

    return {
@@ -75,13 +75,17 @@ Umbraco.Application.Actions = function () {
                alert('Not supported - please create by right clicking the parentnode and choose new...');
        },

-        logout: function () {
-            /// <summary>Logs the user out</summary>
+        logout: function (t) {
+            
+            if (!t) {
+                throw "The security token must be set in order to log a user out using this method";
+            }
+
            if (confirm(UmbClientMgr.uiKeys()["defaultdialogs_confirmlogout"])) {
                //raise beforeLogout event
                jQuery(window.top).trigger("beforeLogout", []);

-                document.location.href = 'logout.aspx';
+                document.location.href = 'logout.aspx?t=' + t;
            }
            return false;
        },
@@ -249,11 +253,14 @@ Umbraco.Application.Actions = function () {
            }
        },

-        actionQuit: function () {
-            /// <summary></summary>
+        actionQuit: function (t) {
+            
+            if (!t) {
+                throw "The security token must be set in order to log a user out using this method";
+            }

            if (confirm(uiKeys['defaultdialogs_confirmlogout'] + '\n\n'))
-                document.location.href = 'logout.aspx';
+                document.location.href = 'logout.aspx?t=' + t;
        },

        actionRePublish: function () {