[SECURITY] [API BREAKING CHANGE] Require logout token.

[lhc/web/wiklou.git] / includes / api / ApiLogout.php

diff --git a/includes/api/ApiLogout.php b/includes/api/ApiLogout.php
index c663d1e..39a96ac 100644 (file)
--- a/includes/api/ApiLogout.php
+++ b/includes/api/ApiLogout.php
@@ -59,13 +59,21 @@ class ApiLogout extends ApiBase {
                Hooks::run( 'UserLogoutComplete', [ &$user, &$injected_html, $oldName ] );
        }
 
+       public function mustBePosted() {
+               return true;
+       }
+
+       public function needsToken() {
+               return 'csrf';
+       }
+
        public function isReadMode() {
                return false;
        }
 
        protected function getExamplesMessages() {
                return [
-                       'action=logout'
+                       'action=logout&token=123ABC'
                                => 'apihelp-logout-example-logout',
                ];
        }