Refined urltokens and XSRF protection

[project/luci.git] / modules / admin-full / luasrc / controller / admin / index.lua

diff --git a/modules/admin-full/luasrc/controller/admin/index.lua b/modules/admin-full/luasrc/controller/admin/index.lua
index eb58e00..e2b812e 100644 (file)
--- a/modules/admin-full/luasrc/controller/admin/index.lua
+++ b/modules/admin-full/luasrc/controller/admin/index.lua
@@ -20,6 +20,7 @@ function index()
        local root = node()
        if not root.target then
                root.target = alias("admin")
+               root.index = true
        end
        
        entry({"about"}, template("about")).i18n = "admin-core"
@@ -30,20 +31,31 @@ function index()
        page.order   = 10
        page.i18n    = "admin-core"
        page.sysauth = "root"
+       page.sysauth_authenticator = "htmlauth"
+       page.ucidata = true
+       page.index = true
        
        local page  = node("admin", "index")
        page.target = template("admin_index/index")
        page.title  = i18n("overview", "Übersicht")
        page.order  = 10
+       page.index = true
        
        local page  = node("admin", "index", "luci")
        page.target = cbi("admin_index/luci")
        page.title  = i18n("a_i_ui", "Oberfläche")
        
-       entry({"admin", "logout"}, call("action_logout"), i18n("logout"))
+       entry({"admin", "index", "logout"}, call("action_logout"), i18n("logout"))
 end
 
 function action_logout()
-       luci.http.header("Set-Cookie", "sysauth=; path=/")
+       local dsp = require "luci.dispatcher"
+       local sauth = require "luci.sauth"
+       if dsp.context.authsession then
+               sauth.kill(dsp.context.authsession)
+               dsp.context.urltoken.stok = nil
+       end
+
+       luci.http.header("Set-Cookie", "sysauth=; path=" .. dsp.build_url())
        luci.http.redirect(luci.dispatcher.build_url())
 end
\ No newline at end of file