Change the HTTP method to GET for the Logout MenuItem

Hi there! I am trying to override the behaviour of the logout menu item in the user dropdown on my admin panel by adding this piece of code:
->userMenuItems([
'logout' => MenuItem::make()
->url(fn (): string => route('home'))
->label('Leave'),
])
->userMenuItems([
'logout' => MenuItem::make()
->url(fn (): string => route('home'))
->label('Leave'),
])
I get an error, because Filament still wants to process this as POST. I can fix it by changing the key from "logout" to "leave" but then it obviously doesn't replace the logout menu item... Is it possible to explicitly set the request method somehow?
20 Replies
DrByte
DrByte12mo ago
Curious: why do you need it to be a GET? Laravel uses POST in order to prevent accidental logouts by bots randomly hitting the page or by malware in injected/hijacked javascript etc.
DrByte
DrByte12mo ago
GitHub
filament/packages/panels/resources/views/components/user-menu.blade...
A collection of beautiful full-stack components for Laravel. The perfect starting point for your next app. Using Livewire, Alpine.js and Tailwind CSS. - filamentphp/filament
awcodes
awcodes12mo ago
What @DrByte said. Logout should never be a get. It should always be able to verify the logged in user is actually who is making the request to logout.
Samus_Aran
Samus_AranOP12mo ago
@DrByte @awcodes I dont want to logout. I want to replace it with a get URL to have the users leave the admin dashboard and go back to the main site where they can logout. I was able to deactive the Filament-Internal login by removing login() from my panel config, so I am just wondering why I cant fully remove the logout menu item from the user dropdown as well or overwrite it. I tried overwriting it with 'logout' => MenuItem::make()->hidden(true), to just hide it, but this also doesn't seem to work. Filament really wants the logout action to be visible there 😄
DrByte
DrByte12mo ago
Right. It's hard-coded. No option to hide/remove it. Just override the URL. But, adding your "Leave" menu item to the list, will make it appear above Logout. I suppose you might be able to make the Log Out text be blank or almost-blank (can't be null or it'll do a lookup to the language file).
Samus_Aran
Samus_AranOP12mo ago
I just got the idea of doing it with some hacky CSS that I added to my filament theme:
form[action*="administrator/logout"]
{
display: none;
}
form[action*="administrator/logout"]
{
display: none;
}
This did the trick 😄
DrByte
DrByte12mo ago
Haha. Yes, that's about the only remaining sensible option.
awcodes
awcodes12mo ago
Absolutely nothing wrong with this. It’s 💯 valid css.
DrByte
DrByte12mo ago
@awcodes do you think a PR to make the Logout option "removable" would be accepted? (perhaps support the common ->hidden() directive, which would just wrap it in an if conditional inside the component template)
awcodes
awcodes12mo ago
I don’t think it would be, because it’s not a common use case. It’s app specific. Personally I would never remove the option for someone to logout from the admin side. I would never force them to leave the admin to logout. Authentication, is also not relevant to where they are in the app. They should be able to log out from anywhere, especially since it’s session based at the laravel level and not the filament level.
DrByte
DrByte12mo ago
Ya, I tend to agree with you there. (Granted, I wish Filament supported guest access to panels, not requiring any login.)
awcodes
awcodes12mo ago
It does. There’s a property that allows bypass authentication on pages. Don’t remember it off the top of my head right now.
DrByte
DrByte12mo ago
Thanks, but I was talking about Authentication, not Authorization.
awcodes
awcodes12mo ago
Touche.
DrByte
DrByte12mo ago
(Apologies: I don't like hijacking threads, so I'm sorry that this has gone there!)
awcodes
awcodes12mo ago
I think this particular use case somewhat tied together though. Which is why it exists. Would have to go back through the PRs/ discussion. But want to say it was the underlying point of this feature to allow non authenticated views.
DrByte
DrByte12mo ago
Thanks. I'll peek at git blame and see where it takes me! 😄
Samus_Aran
Samus_AranOP12mo ago
Yeah, I can also understand why the logout HAS to be there from a design perspective. As one could build a whole application using filament panels you probably dont want this to be removable from the config...
awcodes
awcodes12mo ago
Real question is why does it matter? Why shouldn’t a user be able to log out from the panel or from a non panel. They should be able to logout from anywhere in the app. It just doesn’t make sense to not be able to log out from the main part of the app that 100% depends on authentication.
Want results from more Discord servers?
Add your server