feature #1364 Add CSRF protection to logout url in the user controller (rosier)

javiereguiluz · javiereguiluz · commit c6686482ac6c · 2022-12-08T10:47:12.000+01:00
This PR was merged into the main branch. Discussion ---------- Add CSRF protection to logout url in the user controller Fixes: #1314 Related: #1312 Commits ------- 044b910 Add CSRF protection to logout url in the user controller
diff --git a/config/services.yaml b/config/services.yaml
@@ -33,6 +33,8 @@ services:
     App\EventSubscriber\CommentNotificationSubscriber:
         $sender: '%app.notifications.email_sender%'
 
+    Symfony\Component\Security\Http\Logout\LogoutUrlGenerator: '@security.logout_url_generator'
+
 when@test:
     services:
         test.user_password_hasher:
diff --git a/src/Controller/UserController.php b/src/Controller/UserController.php
@@ -21,6 +21,7 @@
 use Symfony\Component\Routing\Annotation\Route;
 use Symfony\Component\Security\Http\Attribute\CurrentUser;
 use Symfony\Component\Security\Http\Attribute\IsGranted;
+use Symfony\Component\Security\Http\Logout\LogoutUrlGenerator;
 
 /**
  * Controller used to manage current user. The #[CurrentUser] attribute
@@ -61,14 +62,15 @@ public function changePassword(
         #[CurrentUser] User $user,
         Request $request,
         EntityManagerInterface $entityManager,
+        LogoutUrlGenerator $logoutUrlGenerator,
     ): Response {
         $form = $this->createForm(ChangePasswordType::class, $user);
         $form->handleRequest($request);
 
         if ($form->isSubmitted() && $form->isValid()) {
             $entityManager->flush();
 
-            return $this->redirectToRoute('security_logout');
+            return $this->redirect($logoutUrlGenerator->getLogoutPath());
         }
 
         return $this->render('user/change_password.html.twig', [
diff --git a/tests/Controller/UserControllerTest.php b/tests/Controller/UserControllerTest.php
@@ -93,9 +93,10 @@ public function testChangePassword(): void
             'change_password[newPassword][second]' => $newUserPassword,
         ]);
 
-        $this->assertResponseRedirects(
+        $this->assertResponseRedirects();
+        $this->assertStringStartsWith(
             '/en/logout',
-            Response::HTTP_FOUND,
+            $client->getResponse()->headers->get('Location') ?? '',
             'Changing password logout the user.'
         );
     }
