Don't show intermediate step during log out action on the MinervaNeue skin
Closed, ResolvedPublic
Actions

Assigned To

Authored By

	pmiazga
	Jun 6 2019, 3:00 PM

Description

T25227: Use token when logging out improved security when it comes to user log out action. Previously, any GET request sent to Special:UserLogout page triggered the log out action. That was an issue as attacker could easily put an html that would logout user from Wikimedia. and now every request to the Special:UserLogout needs the logoutToken calculated by the system.

Otherwise system will present an intermediate step, it will ask for confirmation before logging out user.

To avoid the intermediate state, please pass the logoutToken param with the logout link.

QA Steps

Verify that logging out doesn't show an intermediate state.

Developer notes:

This can be achieved by passing param:

'logoutToken' => $this->user->getEditToken( 'logoutToken', $this->request )

To the $authLinksQuery in the AuthMenuEntry::buildComponentsForLoggedIn() method

Details

	Subject	Repo	Branch	Lines +/-
	menu: Add system generated logoutToken on logout action in Minerva	mediawiki/skins/MinervaNeue	master	+3 -2

Customize query in gerrit

Related Objects

Mentioned In: T225879: The logout link on Special::UserLogout doesn't respect mobile domain
Mentioned Here: T25227: Use token when logging out

Event Timeline

pmiazga created this task.Jun 6 2019, 3:00 PM

Restricted Application added a subscriber: Aklapper. · View Herald TranscriptJun 6 2019, 3:00 PM

pmiazga triaged this task as High priority.Jun 6 2019, 3:00 PM

pmiazga moved this task from Incoming to Triaged but Future on the Web-Team-Backlog board.

ovasileva lowered the priority of this task from High to Medium.Jun 6 2019, 3:02 PM

ovasileva moved this task from Triaged but Future to Upcoming on the Web-Team-Backlog board.

xSavitar subscribed.Jun 7 2019, 3:27 PM

Change 515510 had a related patch set uploaded (by D3r1ck01; owner: Derick Alangi):
[mediawiki/skins/MinervaNeue@master] menu: Add system generated logoutToken on logout action in Minerva

https://gerrit.wikimedia.org/r/515510

gerritbot added a project: Patch-For-Review.Jun 8 2019, 10:23 AM

xSavitar claimed this task.Jun 8 2019, 10:25 AM

Restricted Application added a project: User-xSavitar. · View Herald TranscriptJun 8 2019, 10:25 AM

xSavitar moved this task from Backlog to Bugs on the MinervaNeue board.Jun 8 2019, 10:25 AM

xSavitar moved this task from Backlog to Under Review on the User-xSavitar board.

The issue was fixed by @D3r1ck01 - thanks for your contribution.
I reviewed the patch and did QA - moving to Ready for Sign off on kanbanana board.

pmiazga removed xSavitar as the assignee of this task.Jun 11 2019, 12:24 PM

pmiazga edited projects, added Web-Team-Backlog (Readers-Web-Kanbanana-Board-2018-19-Q4); removed Web-Team-Backlog.

pmiazga moved this task from To Do to Ready for Signoff on the Web-Team-Backlog (Readers-Web-Kanbanana-Board-2018-19-Q4) board.

pmiazga removed a project: Patch-For-Review.

xSavitar awarded a token.Jun 11 2019, 12:28 PM

xSavitar updated the task description. (Show Details)

xSavitar moved this task from Under Review to Reviewed/Resolved on the User-xSavitar board.

Change 515510 merged by jenkins-bot:
[mediawiki/skins/MinervaNeue@master] menu: Add system generated logoutToken on logout action in Minerva

https://gerrit.wikimedia.org/r/515510

ReleaseTaggerBot added a project: MW-1.34-notes (1.34.0-wmf.10; 2019-06-18).Jun 11 2019, 1:00 PM

ovasileva closed this task as Resolved.Jun 11 2019, 1:31 PM

ovasileva claimed this task.

pmiazga mentioned this in T225879: The logout link on Special::UserLogout doesn't respect mobile domain.Jun 18 2019, 3:32 PM

Don't show intermediate step during log out action on the MinervaNeue skinClosed, ResolvedPublicActions