Contrib.social

User logout confirmation form is not supported (d10.3+)

Open on Drupal.org →
Created on 22 October 2024, 6 months ago

Problem

With Drupal 10.3/11 the user/logout route is CSRF protected, see: https://www.drupal.org/node/2822514
So when the token is missing, the confirmation form gets shown. However, that is atm not supported by the user-forms module, so the logout operation fails.

🐛 Bug report
Status

Active

Version

1.0

Component

Code

Created by

🇦🇹Austria fago Vienna

Live updates comments and jobs are added and updated live.
Sign in to follow issues

Comments & Activities

  • Issue created by @fago
  • Comment 6 months ago
    🇦🇹Austria fago Vienna

    I think this is not really a bug now, because there are ways to work around it.

    I came up with a simple one. Use the account-menu, which at least in standard profile, is there and provides us with working login/logout links. The logout link already contains the right token. api response for testing: /api/menu_items/account

  • Comment 6 months ago
    🇦🇹Austria fago Vienna

    unfortunately the logout link token has some issues also, see 🐛 Wrong user logout CSRF token Active

  • Comment 6 months ago
    🇦🇹Austria fago Vienna

    I think this is not important, since generally it's better to make CSRF-token protected links work properly. The confirm-form we could make work, but including the redirect to the form, it's gonna be some additional work that might not be worth it.

contrib.social Blog FAQ Discussions
Production build 0.71.5 2024