Changed admin templates to use POST for logout

django/contrib/admin/static/admin/css/base.css

@@ -893,12 +893,29 @@ table#change-history tbody th {
     border-bottom: 1px solid rgba(255, 255, 255, 0.25);
 }
 
-#user-tools a:focus, #user-tools a:hover {
+#user-tools a:focus, #user-tools a:hover,
+#user-tools #logout-form button:focus, #user-tools #logout-form button:hover {
     text-decoration: none;
     border-bottom-color: #79aec8;
     color: #79aec8;
 }
 
+#user-tools #logout-form {
+  display: inline;
+}
+
+#user-tools #logout-form button {
+  color: #fff;
+  background: none;
+  border: none;
+  border-bottom: 1px solid rgba(255, 255, 255, 0.25);
+  cursor: pointer;
+  font: inherit;
+  letter-spacing: inherit;
+  text-transform: inherit;
+  padding: 0;
+}
+
 /* SIDEBAR */
 
 #content-related {

django/contrib/admin/static/admin/css/responsive.css

@@ -56,7 +56,7 @@ input[type="submit"], button {
         text-align: left;
     }
 
-    #user-tools a {
+    #user-tools a, #user-tools #logout-form button {
         display: inline-block;
         line-height: 1.4;
     }

django/contrib/admin/templates/admin/base.html

@@ -48,7 +48,10 @@
                 {% if user.has_usable_password %}
                 <a href="{% url 'admin:password_change' %}">{% translate 'Change password' %}</a> /
                 {% endif %}
-                <a href="{% url 'admin:logout' %}">{% translate 'Log out' %}</a>
+                <form id="logout-form" method="post" action="{% url 'admin:logout' %}">
+                  {% csrf_token %}
+                  <button type='submit'>{% translate 'Log out' %}</button>
+                </form>
             {% endblock %}
         </div>
         {% endif %}

django/contrib/admin/templates/registration/password_change_done.html

@@ -1,6 +1,6 @@
 {% extends "admin/base_site.html" %}
 {% load i18n %}
-{% block userlinks %}{% url 'django-admindocs-docroot' as docsroot %}{% if docsroot %}<a href="{{ docsroot }}">{% translate 'Documentation' %}</a> / {% endif %}{% translate 'Change password' %} / <a href="{% url 'admin:logout' %}">{% translate 'Log out' %}</a>{% endblock %}
+{% block userlinks %}{% url 'django-admindocs-docroot' as docsroot %}{% if docsroot %}<a href="{{ docsroot }}">{% translate 'Documentation' %}</a> / {% endif %}{% translate 'Change password' %} / <form id="logout-form" method="post" action="{% url 'admin:logout' %}">{% csrf_token %}<button type='submit'>{% translate 'Log out' %}</button></form>{% endblock %}
 {% block breadcrumbs %}
 <div class="breadcrumbs">
 <a href="{% url 'admin:index' %}">{% translate 'Home' %}</a>

django/contrib/admin/templates/registration/password_change_form.html

@@ -1,7 +1,7 @@
 {% extends "admin/base_site.html" %}
 {% load i18n static %}
 {% block extrastyle %}{{ block.super }}<link rel="stylesheet" type="text/css" href="{% static "admin/css/forms.css" %}">{% endblock %}
-{% block userlinks %}{% url 'django-admindocs-docroot' as docsroot %}{% if docsroot %}<a href="{{ docsroot }}">{% translate 'Documentation' %}</a> / {% endif %} {% translate 'Change password' %} / <a href="{% url 'admin:logout' %}">{% translate 'Log out' %}</a>{% endblock %}
+{% block userlinks %}{% url 'django-admindocs-docroot' as docsroot %}{% if docsroot %}<a href="{{ docsroot }}">{% translate 'Documentation' %}</a> / {% endif %} {% translate 'Change password' %} / <form id="logout-form" method="post" action="{% url 'admin:logout' %}">{% csrf_token %}<button type='submit'>{% translate 'Log out' %}</button></form>{% endblock %}
 {% block breadcrumbs %}
 <div class="breadcrumbs">
 <a href="{% url 'admin:index' %}">{% translate 'Home' %}</a>

tests/admin_views/tests.py

@@ -698,11 +698,17 @@ def test_isnull_lookups(self):
         response = self.client.get(changelist_url, {'section__isnull': '1'})
         self.assertContains(response, '1 article')
 
-    def test_logout_and_password_change_URLs(self):
+    def test_password_change_URL(self):
         response = self.client.get(reverse('admin:admin_views_article_changelist'))
-        self.assertContains(response, '<a href="%s">' % reverse('admin:logout'))
         self.assertContains(response, '<a href="%s">' % reverse('admin:password_change'))
 
+    def test_logout_form(self):
+        response = self.client.get(reverse('admin:admin_views_article_changelist'))
+        self.assertContains(
+            response,
+            '<form id="logout-form" method="post" action="%s">' % reverse('admin:logout')
+        )
+
     def test_named_group_field_choices_change_list(self):
         """
         Ensures the admin changelist shows correct values in the relevant column
@@ -3028,9 +3034,10 @@ def test_changelist_input_html(self):
         # main form submit button = 1
         # search field and search submit button = 2
         # CSRF field = 1
+        # CSRF field in logout form = 1
         # field to track 'select all' across paginated views = 1
-        # 6 + 4 + 4 + 1 + 2 + 1 + 1 = 19 inputs
-        self.assertContains(response, "<input", count=19)
+        # 6 + 4 + 4 + 1 + 2 + 1 + 1 + 1 = 20 inputs
+        self.assertContains(response, "<input", count=20)
         # 1 select per object = 3 selects
         self.assertContains(response, "<select", count=4)
 
@@ -3540,7 +3547,7 @@ def test_inline(self):
         foo_user = "foo username"
         bar_user = "bar username"
 
-        name_re = re.compile(b'name="(.*?)"')
+        name_re = re.compile(b'name="(?!csrfmiddlewaretoken")(.*)"')
 
         # test the add case
         response = self.client.get(reverse('admin:admin_views_persona_add'))
@@ -4804,8 +4811,9 @@ def test_readonly_get(self):
         self.assertEqual(response.status_code, 200)
         self.assertNotContains(response, 'name="posted"')
         # 3 fields + 2 submit buttons + 5 inline management form fields, + 2
-        # hidden fields for inlines + 1 field for the inline + 2 empty form
-        self.assertContains(response, "<input", count=15)
+        # hidden fields for inlines + 1 field for the inline + 2 empty form,
+        # + 1 hidden input for the CSRF token in the logout form
+        self.assertContains(response, "<input", count=16)
         self.assertContains(response, formats.localize(datetime.date.today()))
         self.assertContains(response, "<label>Awesomeness level:</label>")
         self.assertContains(response, "Very awesome.")