Skip to content


Support POST only for logout
Browse files Browse the repository at this point in the history
  • Loading branch information
cdubz committed Dec 18, 2021
1 parent 32bfede commit 97fa8d7
Show file tree
Hide file tree
Showing 4 changed files with 23 additions and 2 deletions.
7 changes: 6 additions & 1 deletion babybuddy/templates/babybuddy/nav-dropdown.html
Expand Up @@ -269,7 +269,12 @@
<h6 class="dropdown-header">{% trans "User" %}</h6>
<a href="{% url 'babybuddy:user-settings' %}" class="dropdown-item">{% trans "Settings" %}</a>
<a href="{% url 'babybuddy:user-password' %}" class="dropdown-item">{% trans "Password" %}</a>
<a href="{% url 'babybuddy:logout' %}" class="dropdown-item">{% trans "Logout" %}</a>
<form action="{% url 'babybuddy:logout' %}" role="form" method="post">
{% csrf_token %}
<button class="dropdown-item">
{% trans "Logout" %}
<h6 class="dropdown-header">{% trans "Site" %}</h6>
<a href="{% url 'api:api-root' %}" class="dropdown-item">{% trans "API Browser" %}</a>
{% if request.user.is_staff %}
Expand Down
4 changes: 4 additions & 0 deletions babybuddy/tests/
Expand Up @@ -70,3 +70,7 @@ def test_user_views(self):
def test_welcome(self):
page = self.c.get('/welcome/')
self.assertEqual(page.status_code, 200)

def test_logout_get_fails(self):
page = self.c.get('/logout/')
self.assertEqual(page.status_code, 405)
2 changes: 1 addition & 1 deletion babybuddy/
Expand Up @@ -9,7 +9,7 @@

app_patterns = [
path('login/', auth_views.LoginView.as_view(), name='login'),
path('logout/', auth_views.LogoutView.as_view(), name='logout'),
path('logout/', views.LogoutView.as_view(), name='logout'),
Expand Down
12 changes: 12 additions & 0 deletions babybuddy/
Expand Up @@ -3,12 +3,17 @@
from django.contrib.auth import update_session_auth_hash
from django.contrib.auth.forms import PasswordChangeForm
from django.contrib.auth.models import User
from django.contrib.auth.views import LogoutView as LogoutViewBase
from django.contrib.messages.views import SuccessMessageMixin
from django.shortcuts import redirect, render
from django.urls import reverse, reverse_lazy
from django.utils import translation
from django.utils.decorators import method_decorator
from django.utils.text import format_lazy
from django.utils.translation import gettext as _, gettext_lazy
from django.views.decorators.cache import never_cache
from django.views.decorators.csrf import csrf_protect
from django.views.decorators.http import require_POST
from django.views.generic import View
from django.views.generic.base import TemplateView, RedirectView
from django.views.generic.edit import CreateView, UpdateView, DeleteView
Expand Down Expand Up @@ -48,6 +53,13 @@ def get_context_data(self, **kwargs):
return context

@method_decorator(csrf_protect, name='dispatch')
@method_decorator(never_cache, name='dispatch')
@method_decorator(require_POST, name='dispatch')
class LogoutView(LogoutViewBase):

class UserList(StaffOnlyMixin, BabyBuddyFilterView):
model = User
template_name = 'babybuddy/user_list.html'
Expand Down

0 comments on commit 97fa8d7

Please sign in to comment.