-
-
Notifications
You must be signed in to change notification settings - Fork 6.7k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Use POST method instead of GET to perform logout in browsable API #9208
Changes from all commits
File filter
Filter by extension
Conversations
Jump to
Diff view
Diff view
There are no files selected for viewing
Original file line number | Diff line number | Diff line change |
---|---|---|
|
@@ -119,7 +119,7 @@ def optional_docs_login(request): | |
|
||
|
||
@register.simple_tag | ||
def optional_logout(request, user): | ||
def optional_logout(request, user, csrf_token): | ||
""" | ||
Include a logout snippet if REST framework's logout view is in the URLconf. | ||
""" | ||
|
@@ -135,11 +135,16 @@ def optional_logout(request, user): | |
<b class="caret"></b> | ||
</a> | ||
<ul class="dropdown-menu"> | ||
<li><a href='{href}?next={next}'>Log out</a></li> | ||
<form id="logoutForm" method="post" action="{href}?next={next}"> | ||
<input type="hidden" name="csrfmiddlewaretoken" value="{csrf_token}"> | ||
</form> | ||
<li> | ||
<a href="#" onclick='document.getElementById("logoutForm").submit()'>Log out</a> | ||
</li> | ||
</ul> | ||
</li>""" | ||
snippet = format_html(snippet, user=escape(user), href=logout_url, next=escape(request.path)) | ||
|
||
snippet = format_html(snippet, user=escape(user), href=logout_url, | ||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. is it possible to update the tests a bit to verify it is working and not creating any regression? There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. It appears that using I added a test that specifically checks for the form declaration. If you had something other in your mind, let me know. |
||
next=escape(request.path), csrf_token=csrf_token) | ||
return mark_safe(snippet) | ||
|
||
|
||
|
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
not sure, but should this href use #?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Since it immediately redirects the user to
next
, it should not be a problem?Alternatives:
We could remove the href. In that case, we would need to add inline css so that cursor would be pointer. Also we'll probably need to add
role="button"
for improved semantics for screen readers.We could set
next
as href. Although I'm not sure how it would behave. We may need to callpreventDefault
.I'm refraining from using
<button>
here since it would require a bit of CSS juggling.There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
It's a pretty standard pattern I think, seems okay to me.