Change the HTTP method to GET for the Logout MenuItem
Hi there! I am trying to override the behaviour of the logout menu item in the user dropdown on my admin panel by adding this piece of code:
I get an error, because Filament still wants to process this as POST. I can fix it by changing the key from "logout" to "leave" but then it obviously doesn't replace the logout menu item... Is it possible to explicitly set the request method somehow?
20 Replies
Curious: why do you need it to be a GET? Laravel uses POST in order to prevent accidental logouts by bots randomly hitting the page or by malware in injected/hijacked javascript etc.
...
As for the component itself, the POST is hardcoded: https://github.com/filamentphp/filament/blob/d84f26cd905ab7ff32db14e4dc6a4b843081878e/packages/panels/resources/views/components/user-menu.blade.php#L81-L87
GitHub
filament/packages/panels/resources/views/components/user-menu.blade...
A collection of beautiful full-stack components for Laravel. The perfect starting point for your next app. Using Livewire, Alpine.js and Tailwind CSS. - filamentphp/filament
What @DrByte said. Logout should never be a get. It should always be able to verify the logged in user is actually who is making the request to logout.
@DrByte @awcodes I dont want to logout. I want to replace it with a get URL to have the users leave the admin dashboard and go back to the main site where they can logout. I was able to deactive the Filament-Internal login by removing login() from my panel config, so I am just wondering why I cant fully remove the logout menu item from the user dropdown as well or overwrite it.
I tried overwriting it with 'logout' => MenuItem::make()->hidden(true), to just hide it, but this also doesn't seem to work. Filament really wants the logout action to be visible there 😄
Right. It's hard-coded. No option to hide/remove it. Just override the URL.
But, adding your "Leave" menu item to the list, will make it appear above Logout. I suppose you might be able to make the Log Out text be blank or almost-blank (can't be null or it'll do a lookup to the language file).
I just got the idea of doing it with some hacky CSS that I added to my filament theme:
This did the trick 😄
Haha. Yes, that's about the only remaining sensible option.
Absolutely nothing wrong with this. It’s 💯 valid css.
@awcodes do you think a PR to make the Logout option "removable" would be accepted? (perhaps support the common
->hidden()
directive, which would just wrap it in an if
conditional inside the component template)I don’t think it would be, because it’s not a common use case. It’s app specific. Personally I would never remove the option for someone to logout from the admin side. I would never force them to leave the admin to logout.
Authentication, is also not relevant to where they are in the app. They should be able to log out from anywhere, especially since it’s session based at the laravel level and not the filament level.
Ya, I tend to agree with you there.
(Granted, I wish Filament supported guest access to panels, not requiring any login.)
It does.
There’s a property that allows bypass authentication on pages.
Don’t remember it off the top of my head right now.
Thanks, but I was talking about Authentication, not Authorization.
Touche.
(Apologies: I don't like hijacking threads, so I'm sorry that this has gone there!)
I think this particular use case somewhat tied together though. Which is why it exists. Would have to go back through the PRs/ discussion. But want to say it was the underlying point of this feature to allow non authenticated views.
Thanks. I'll peek at
git blame
and see where it takes me! 😄Yeah, I can also understand why the logout HAS to be there from a design perspective. As one could build a whole application using filament panels you probably dont want this to be removable from the config...
Real question is why does it matter? Why shouldn’t a user be able to log out from the panel or from a non panel. They should be able to logout from anywhere in the app. It just doesn’t make sense to not be able to log out from the main part of the app that 100% depends on authentication.