Skip to content
Permalink
Browse files
Support POST only for logout
  • Loading branch information
cdubz committed Dec 18, 2021
1 parent 32bfede commit 97fa8d7000aea0143dab37ff908d584acc0e03e7
Showing with 23 additions and 2 deletions.
  1. +6 −1 babybuddy/templates/babybuddy/nav-dropdown.html
  2. +4 −0 babybuddy/tests/tests_views.py
  3. +1 −1 babybuddy/urls.py
  4. +12 −0 babybuddy/views.py
@@ -269,7 +269,12 @@
<h6 class="dropdown-header">{% trans "User" %}</h6>
<a href="{% url 'babybuddy:user-settings' %}" class="dropdown-item">{% trans "Settings" %}</a>
<a href="{% url 'babybuddy:user-password' %}" class="dropdown-item">{% trans "Password" %}</a>
<a href="{% url 'babybuddy:logout' %}" class="dropdown-item">{% trans "Logout" %}</a>
<form action="{% url 'babybuddy:logout' %}" role="form" method="post">
{% csrf_token %}
<button class="dropdown-item">
{% trans "Logout" %}
</button>
</form>
<h6 class="dropdown-header">{% trans "Site" %}</h6>
<a href="{% url 'api:api-root' %}" class="dropdown-item">{% trans "API Browser" %}</a>
{% if request.user.is_staff %}
@@ -70,3 +70,7 @@ def test_user_views(self):
def test_welcome(self):
page = self.c.get('/welcome/')
self.assertEqual(page.status_code, 200)

def test_logout_get_fails(self):
page = self.c.get('/logout/')
self.assertEqual(page.status_code, 405)
@@ -9,7 +9,7 @@

app_patterns = [
path('login/', auth_views.LoginView.as_view(), name='login'),
path('logout/', auth_views.LogoutView.as_view(), name='logout'),
path('logout/', views.LogoutView.as_view(), name='logout'),
path(
'password_reset/',
auth_views.PasswordResetView.as_view(),
@@ -3,12 +3,17 @@
from django.contrib.auth import update_session_auth_hash
from django.contrib.auth.forms import PasswordChangeForm
from django.contrib.auth.models import User
from django.contrib.auth.views import LogoutView as LogoutViewBase
from django.contrib.messages.views import SuccessMessageMixin
from django.shortcuts import redirect, render
from django.urls import reverse, reverse_lazy
from django.utils import translation
from django.utils.decorators import method_decorator
from django.utils.text import format_lazy
from django.utils.translation import gettext as _, gettext_lazy
from django.views.decorators.cache import never_cache
from django.views.decorators.csrf import csrf_protect
from django.views.decorators.http import require_POST
from django.views.generic import View
from django.views.generic.base import TemplateView, RedirectView
from django.views.generic.edit import CreateView, UpdateView, DeleteView
@@ -48,6 +53,13 @@ def get_context_data(self, **kwargs):
return context


@method_decorator(csrf_protect, name='dispatch')
@method_decorator(never_cache, name='dispatch')
@method_decorator(require_POST, name='dispatch')
class LogoutView(LogoutViewBase):
pass


class UserList(StaffOnlyMixin, BabyBuddyFilterView):
model = User
template_name = 'babybuddy/user_list.html'

0 comments on commit 97fa8d7

Please sign in to comment.