Merge pull request #7892 from qld-gov-au/github-6955-cache-control

disable all caching on _logout URL, #6955
ckan · Nov 20, 2023 · 85e8380 · 85e8380
2 parents dab1b46 + b6d5a57
commit 85e8380
Show file tree

Hide file tree

Showing 3 changed files with 14 additions and 11 deletions.
diff --git a/changes/7892.bugfix b/changes/7892.bugfix
@@ -0,0 +1 @@
+Change logout link into a POST submit so it interacts properly with caching and CSRF
diff --git a/ckan/templates/header.html b/ckan/templates/header.html
@@ -39,10 +39,12 @@
         </li>
         {% endblock %} {% block header_account_log_out_link %}
         <li>
-          <a href="{{ h.url_for('user.logout') }}" title="{{ _('Log out') }}">
-            <i class="fa fa-sign-out" aria-hidden="true"></i>
-            <span class="text">{{ _('Log out') }}</span>
-          </a>
+          <form action="{{ h.url_for('user.logout') }}" method="post">
+            {{ h.csrf_input() }}
+            <button class="btn btn-link" type="submit" title="{{ _('Log out') }}">
+              <i class="fa fa-sign-out" aria-hidden="true"></i>
+            </button>
+          </form>
         </li>
         {% endblock %} {% endblock %}
       </ul>
@@ -98,14 +100,14 @@ <h2>{{ g.site_description }}</h2>
               {% set org_type = h.default_group_type('organization') %}
               {% set group_type = h.default_group_type('group') %}
 
-		          {{ h.build_nav_main(
-		            (dataset_type ~ '.search', h.humanize_entity_type('package', dataset_type, 'main nav') or _('Datasets'), ["dataset", "resource"]),
-		            (org_type ~ '.index',
+              {{ h.build_nav_main(
+                (dataset_type ~ '.search', h.humanize_entity_type('package', dataset_type, 'main nav') or _('Datasets'), ["dataset", "resource"]),
+                (org_type ~ '.index',
                   h.humanize_entity_type('organization', org_type, 'main nav') or _('Organizations'), ['organization']),
-		            (group_type ~ '.index',
+                (group_type ~ '.index',
                   h.humanize_entity_type('group', group_type, 'main nav') or _('Groups'), ['group']),
-		            ('home.about', _('About')) ) }}
-	          {% endblock %}
+                ('home.about', _('About')) ) }}
+            {% endblock %}
           </ul>
 
       {% endblock %}

diff --git a/ckan/views/user.py b/ckan/views/user.py
@@ -944,7 +944,7 @@ def sysadmin() -> Response:
     u'/register', view_func=RegisterView.as_view(str(u'register')))
 
 user.add_url_rule(u'/login', view_func=login, methods=('GET', 'POST'))
-user.add_url_rule(u'/_logout', view_func=logout)
+user.add_url_rule(u'/_logout', view_func=logout, methods=('GET', 'POST'))
 user.add_url_rule(u'/logged_out_redirect', view_func=logged_out_page)
 
 user.add_url_rule(u'/delete/<id>', view_func=delete, methods=(u'POST', 'GET'))