From ffc3aa927fa3f98b998df22c769c3af1bca845fe Mon Sep 17 00:00:00 2001
From: Serghei MIHAI <smihai@entrouvert.com>
Date: Fri, 13 Mar 2015 16:21:37 +0100
Subject: [PATCH] slo done by checking the refer instead of POST

---
 ckanext/ozwillo_pyoidc/plugin.py                | 17 ++++++-----------
 .../templates/logout_confirm.html               | 17 -----------------
 2 files changed, 6 insertions(+), 28 deletions(-)
 delete mode 100644 ckanext/ozwillo_pyoidc/templates/logout_confirm.html

diff --git a/ckanext/ozwillo_pyoidc/plugin.py b/ckanext/ozwillo_pyoidc/plugin.py
index 2f280d3..2a77e8b 100755
--- a/ckanext/ozwillo_pyoidc/plugin.py
+++ b/ckanext/ozwillo_pyoidc/plugin.py
@@ -57,12 +57,9 @@ class OzwilloPyoidcPlugin(plugins.SingletonPlugin):
         map.connect('/organization/{id:.*}/callback',
                     controller=plugin_controller,
                     action='callback')
-        map.connect('/logout', controller=plugin_controller,
-                    action='logout')
         map.connect('/user/slo',
                     controller=plugin_controller,
-                    action='slo',
-                    conditions={'method': ['POST']})
+                    action='slo')
         map.redirect('/organization/{id:.*}/logout', '/user/_logout')
 
         return map
@@ -193,17 +190,15 @@ class OpenidController(base.BaseController):
 
         redirect_to(org_url)
 
-    def logout(self):
-        toolkit.c.slo_url = toolkit.url_for(host=request.host,
-                                            controller=plugin_controller,
-                                            action="slo",
-                                            qualified=True)
-        return base.render('logout_confirm.html')
 
     def slo(self):
         """
         Revokes the delivered access token. Logs out the user
         """
+
+        if not request.referer or request.host not in request.referer:
+            redirect_to('/')
+
         g = model.Group.get(session['organization_id'])
         org_url = toolkit.url_for(host=request.host,
                                   controller='organization',
@@ -212,7 +207,7 @@ class OpenidController(base.BaseController):
                                   qualified=True)
         org_url = str(org_url)
 
-        if toolkit.c.user and request.method == 'POST':
+        if toolkit.c.user:
             client = Clients.get(g)
             logout_url = client.end_session_endpoint
 
diff --git a/ckanext/ozwillo_pyoidc/templates/logout_confirm.html b/ckanext/ozwillo_pyoidc/templates/logout_confirm.html
deleted file mode 100644
index 69d9a01..0000000
--- a/ckanext/ozwillo_pyoidc/templates/logout_confirm.html
+++ /dev/null
@@ -1,17 +0,0 @@
-{% extends "page.html" %}
-
-{% block primary_content %}
-  <section class="module">
-    <div class="module-content">
-      <h3>
-        {% block page_heading %}
-        {{ _('Logout from CKAN') }}
-        {% endblock %}
-      </h3>
-      <form method="post" action="{{ c.slo_url }}">
-        <button>{% trans %}Logout{% endtrans %}</button>
-        <a href="{{ h.url_for('/') }}" class="portal">{% trans %}Go back to CKAN{% endtrans %}</a>
-      </form>
-    </div>
-  </section>
-{% endblock %}