From 498ceec9f5bc35fe3076754e986b772a2f33608e Mon Sep 17 00:00:00 2001
From: Glandos <bugs-github@antipoul.fr>
Date: Tue, 12 Jul 2022 12:46:36 +0200
Subject: [PATCH] Add logout as POST action

for now, there is nothing when /exit is called manually
---
 ihatemoney/forms.py              |  4 ++++
 ihatemoney/templates/layout.html |  7 ++++---
 ihatemoney/web.py                | 22 ++++++++++++++++++----
 3 files changed, 26 insertions(+), 7 deletions(-)

diff --git a/ihatemoney/forms.py b/ihatemoney/forms.py
index f1e852e7..672102ab 100644
--- a/ihatemoney/forms.py
+++ b/ihatemoney/forms.py
@@ -443,6 +443,10 @@ class InviteForm(FlaskForm):
                 )
 
 
+class ConfirmLogoutForm(FlaskForm):
+    submit = SubmitField(_("Logout"))
+
+
 class EmptyForm(FlaskForm):
     """Used for CSRF validation"""
 
diff --git a/ihatemoney/templates/layout.html b/ihatemoney/templates/layout.html
index f6c8f4a2..dc9ea4bf 100644
--- a/ihatemoney/templates/layout.html
+++ b/ihatemoney/templates/layout.html
@@ -119,9 +119,10 @@
             <li><a class="dropdown-item" href="{{ url_for("main.dashboard") }}">{{ _("Dashboard") }}</a></li>
             {% endif %}
             <li>
-              <a class="dropdown-item" href="{{ url_for("main.exit") }}">
-                {{ _("Logout") }}
-              </a>
+              <form action="{{ url_for("main.exit") }}" method="post">
+                {{ g.confirm_logout_form.hidden_tag() }}
+                {{ g.confirm_logout_form.submit(class="dropdown-item") }}
+              </form>
             </li>
           </ul>
         </li>
diff --git a/ihatemoney/web.py b/ihatemoney/web.py
index 4ecca084..7171b5ea 100644
--- a/ihatemoney/web.py
+++ b/ihatemoney/web.py
@@ -40,6 +40,7 @@ from ihatemoney.emails import send_creation_email
 from ihatemoney.forms import (
     AdminAuthenticationForm,
     AuthenticationForm,
+    ConfirmLogoutForm,
     DestructiveActionProjectForm,
     EditProjectForm,
     EmptyForm,
@@ -149,6 +150,7 @@ def pull_project(endpoint, values):
         if session.get(project.id) or is_admin or is_invitation:
             # add project into kwargs and call the original function
             g.project = project
+            g.confirm_logout_form = ConfirmLogoutForm()
         else:
             # redirect to authentication page
             raise Redirect303(url_for(".authenticate", project_id=project_id))
@@ -534,11 +536,23 @@ def export_project(file, format):
     )
 
 
-@main.route("/exit")
+@main.route("/exit", methods=["GET", "POST"])
 def exit():
-    # delete the session
-    session.clear()
-    return redirect(url_for(".home"))
+    # We must test it manually, because otherwise, it creates a project "exit"
+    if request.method == "GET":
+        abort(405)
+
+    form = ConfirmLogoutForm()
+    if form.validate():
+        # delete the session
+        session.clear()
+        return redirect(url_for(".home"))
+    else:
+        flash(
+            format_form_errors(form, _("Unable to logout")),
+            category="danger",
+        )
+        return redirect(request.headers.get("Referer") or url_for(".home"))
 
 
 @main.route("/demo")