From 18b07efaf49c6e7c9d85c71aa1996b79f86bb3e6 Mon Sep 17 00:00:00 2001
From: skodak <skodak>
Date: Fri, 2 Mar 2007 16:47:38 +0000
Subject: [PATCH] sesskey added to logout.php MDL-8727

---
 enrol/authorize/localfuncs.php | 2 +-
 lang/en_utf8/moodle.php        | 1 +
 lib/weblib.php                 | 2 +-
 login/logout.php               | 9 +++++++++
 4 files changed, 12 insertions(+), 2 deletions(-)

diff --git a/enrol/authorize/localfuncs.php b/enrol/authorize/localfuncs.php
index 7929f59880..a10469dd62 100644
--- a/enrol/authorize/localfuncs.php
+++ b/enrol/authorize/localfuncs.php
@@ -49,7 +49,7 @@ function prevent_double_paid($course)
     }
     if (isset($SESSION->ccpaid)) {
         unset($SESSION->ccpaid);
-        redirect($CFG->wwwroot . '/login/logout.php');
+        redirect($CFG->wwwroot . '/login/logout.php?sesskey='.sesskey());
         return;
     }
 }
diff --git a/lang/en_utf8/moodle.php b/lang/en_utf8/moodle.php
index a8a89b7bcc..2d0b354b92 100644
--- a/lang/en_utf8/moodle.php
+++ b/lang/en_utf8/moodle.php
@@ -824,6 +824,7 @@ $string['loginstepsnone'] = '<p>Hi!</p>
 $string['loginto'] = 'Login to $a';
 $string['loginusing'] = 'Login here using your username and password';
 $string['logout'] = 'Logout';
+$string['logoutconfirm'] = 'Do you really want to logout?';
 $string['logs'] = 'Logs';
 $string['logtoomanycourses'] = '[ <a href=\"$a->url\">more</a> ]';
 $string['logtoomanyusers'] = '[ <a href=\"$a->url\">more</a> ]';
diff --git a/lib/weblib.php b/lib/weblib.php
index 0a577e52c4..95b78d978d 100644
--- a/lib/weblib.php
+++ b/lib/weblib.php
@@ -2748,7 +2748,7 @@ function user_login_string($course=NULL, $user=NULL) {
                       href=\"$CFG->wwwroot/course/view.php?id=$course->id&amp;switchrole=0&amp;sesskey=".sesskey()."\">".get_string('switchrolereturn').'</a>)';
         } else {
             $loggedinas = $realuserinfo.get_string('loggedinas', 'moodle', $username).' '.
-                      " (<a $CFG->frametarget href=\"$CFG->wwwroot/login/logout.php\">".get_string('logout').'</a>)';
+                      " (<a $CFG->frametarget href=\"$CFG->wwwroot/login/logout.php?sesskey=".sesskey()."\">".get_string('logout').'</a>)';
         }
     } else {
         $loggedinas = get_string('loggedinnot', 'moodle').
diff --git a/login/logout.php b/login/logout.php
index 4714963209..e4e90d2f12 100644
--- a/login/logout.php
+++ b/login/logout.php
@@ -10,6 +10,15 @@
         $wwwroot = $CFG->wwwroot;
     }
 
+    $sesskey = optional_param('sesskey', '__notpresent__', PARAM_RAW); // we want not null default to prevent required sesskey warning
+
+    if (!confirm_sesskey($sesskey)) {
+        print_header($SITE->fullname, $SITE->fullname, 'home');
+        notice_yesno(get_string('logoutconfirm'), 'logout.php', $CFG->wwwroot.'/', array('sesskey'=>sesskey()), null, 'post', 'get');
+        print_footer();
+        die;
+    }
+
     require_logout();
 
     redirect("$wwwroot/");
-- 
2.39.5