Don't expose session keys in views

jazzband · Jan 24, 2020 · f0c4077 · f0c4077
1 parent 671b38c
commit f0c4077
Show file tree

Hide file tree

Showing 2 changed files with 1 addition and 12 deletions.
diff --git a/tests/tests.py b/tests/tests.py
@@ -88,8 +88,8 @@ def test_list(self):
                                      user_agent='Firefox')
         response = self.client.get(reverse('user_sessions:session_list'))
         self.assertContains(response, 'Active Sessions')
-        self.assertContains(response, 'End Session', 3)
         self.assertContains(response, 'Firefox')
+        self.assertNotContains(response, 'ABC123')
 
     def test_delete(self):
         session_key = self.client.cookies[settings.SESSION_COOKIE_NAME].value

diff --git a/user_sessions/templates/user_sessions/session_list.html b/user_sessions/templates/user_sessions/session_list.html
@@ -13,7 +13,6 @@ <h1>{% trans "Active Sessions" %}</h1>
         <th>{% trans "Location" %}</th>
         <th>{% trans "Device" %}</th>
         <th>{% trans "Last Activity" %}</th>
-        <th>{% trans "End Session" %}</th>
       </tr>
     </thead>
     {% for object in object_list %}
@@ -27,16 +26,6 @@ <h1>{% trans "Active Sessions" %}</h1>
             {% blocktrans with time=object.last_activity|timesince %}{{ time }} ago{% endblocktrans %}
           {% endif %}
         </td>
-        <td>
-          <form method="post" action="{% url 'user_sessions:session_delete' object.pk %}">
-            {% csrf_token %}
-            {% if object.session_key == session_key %}
-              <button type="submit" class="btn btn-xs btn-link">{% trans "End Session" %}</button>
-            {% else %}
-              <button type="submit" class="btn btn-xs btn-warning">{% trans "End Session" %}</button>
-            {% endif %}
-          </form>
-        </td>
       </tr>
     {% endfor %}
   </table>