Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Use POST method instead of GET to perform logout in browsable API #9208

Merged
merged 2 commits into from
Feb 19, 2024
+17 −6
Merged

Use POST method instead of GET to perform logout in browsable API #9208

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
edeabb1
Use POST method instead of GET to perform logout in browsable API
realsuayip Jan 3, 2024
fcbcb2b
Add a test that checks the presence of the logout form
realsuayip Feb 19, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Jump to
Jump to file
Failed to load files.
Diff view
Diff view
2 changes: 1 addition & 1 deletion rest_framework/templates/rest_framework/admin.html
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -42,7 +42,7 @@
<ul class="nav navbar-nav pull-right">
{% block userlinks %}
{% if user.is_authenticated %}
{% optional_logout request user %}
{% optional_logout request user csrf_token %}
{% else %}
{% optional_login request %}
{% endif %}
Expand Down
2 changes: 1 addition & 1 deletion rest_framework/templates/rest_framework/base.html
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -46,7 +46,7 @@
<ul class="nav navbar-nav pull-right">
{% block userlinks %}
{% if user.is_authenticated %}
{% optional_logout request user %}
{% optional_logout request user csrf_token %}
{% else %}
{% optional_login request %}
{% endif %}
Expand Down
13 changes: 9 additions & 4 deletions rest_framework/templatetags/rest_framework.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -119,7 +119,7 @@ def optional_docs_login(request):


@register.simple_tag
def optional_logout(request, user):
def optional_logout(request, user, csrf_token):
"""
Include a logout snippet if REST framework's logout view is in the URLconf.
"""
Expand All @@ -135,11 +135,16 @@ def optional_logout(request, user):
<b class="caret"></b>
</a>
<ul class="dropdown-menu">
<li><a href='{href}?next={next}'>Log out</a></li>
<form id="logoutForm" method="post" action="{href}?next={next}">
<input type="hidden" name="csrfmiddlewaretoken" value="{csrf_token}">
</form>
<li>
<a href="#" onclick='document.getElementById("logoutForm").submit()'>Log out</a>
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

not sure, but should this href use #?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Since it immediately redirects the user to next, it should not be a problem?

Alternatives:

  • We could remove the href. In that case, we would need to add inline css so that cursor would be pointer. Also we'll probably need to add role="button" for improved semantics for screen readers.

  • We could set next as href. Although I'm not sure how it would behave. We may need to call preventDefault.

I'm refraining from using <button> here since it would require a bit of CSS juggling.

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

It's a pretty standard pattern I think, seems okay to me.

</li>
</ul>
</li>"""
snippet = format_html(snippet, user=escape(user), href=logout_url, next=escape(request.path))

snippet = format_html(snippet, user=escape(user), href=logout_url,
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

is it possible to update the tests a bit to verify it is working and not creating any regression?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

It appears that using POST for logout has been available from the start (for the view we are using at least). So as long as we get the form action and CSRF right, it should be fine.

I added a test that specifically checks for the form declaration. If you had something other in your mind, let me know.

next=escape(request.path), csrf_token=csrf_token)
return mark_safe(snippet)


Expand Down
6 changes: 6 additions & 0 deletions tests/browsable_api/test_browsable_api.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -65,6 +65,12 @@ def test_login_shown_when_logged_out(self):
content = response.content.decode()
assert '>Log in<' in content

def test_dropdown_contains_logout_form(self):
self.client.login(username=self.username, password=self.password)
response = self.client.get('/')
content = response.content.decode()
assert '<form id="logoutForm" method="post" action="/auth/logout/?next=/">' in content


@override_settings(ROOT_URLCONF='tests.browsable_api.no_auth_urls')
class NoDropdownWithoutAuthTests(TestCase):
Expand Down