Merge branch '1.0.X'

moztrap/model/mtadmin.py

@@ -7,6 +7,7 @@
 
 from django.conf import settings
 from django.forms.models import BaseInlineFormSet
+from django.shortcuts import redirect
 from django.views.decorators.cache import never_cache
 
 from django.contrib import admin, messages
@@ -38,6 +39,18 @@ def login(self, request, extra_context=None):
             )
 
 
+    @never_cache
+    def logout(self, request, extra_context=None):
+        """
+        Make admin 'logout' a no-op.
+
+        We replace the link with a "back to MozTrap" link.
+
+        The default AdminSite.logout implementation exposes us to logout CSRF.
+
+        """
+        return redirect("home")
+
 
 site = MTAdminSite()
 

templates/admin/base_site.html

@@ -0,0 +1,15 @@
+{% extends "admin/base.html" %}
+{% load url from future %}
+{% load i18n %}
+
+{% block title %}{{ title }} | {% trans 'MozTrap admin' %}{% endblock %}
+
+{% block branding %}
+<h1 id="site-name">{% trans 'MozTrap administration' %}</h1>
+{% endblock %}
+
+{% block nav-global %}{% endblock %}
+
+{% block userlinks %}
+  [ <a href="{% url 'home' %}">{% trans 'Back to MozTrap' %}</a> ]
+{% endblock %}

templates/users/set_username_form.html

@@ -6,7 +6,7 @@
 <section id="setusername">
   <h2>Welcome! Please choose a username</h2>
 
-  <p>We keep your email private, but we need a username to publicly identify
+  <p>We keep your email private, so we need a username to publicly identify
   you on the site.</p>
 
   <form method="POST" id="setusernameform">

tests/model/test_mtadmin.py

@@ -32,6 +32,27 @@ def test_login_redirect_message(self):
         res.follow().mustcontain("have permission")
 
 
+    def test_logout_doesnt(self):
+        """
+        Admin 'logout' view just redirects to home.
+
+        The default version exposes us to logout CSRF. We remove the admin
+        logout link to, but we still need to neuter the actual view since
+        removing it from the url patterns is a pain.
+
+        """
+        from django.contrib.auth.signals import user_logged_out
+        def handler(*args, **kwargs):
+            self.fail("User logged out, should not have been.")
+        user_logged_out.connect(handler, weak=True)
+
+        user = self.F.UserFactory.create(is_staff=True)
+
+        res = self.app.get(reverse("admin:logout"), user=user)
+
+        self.assertRedirects(res, "/")
+
+
 
 class TeamModelAdminTest(case.DBTestCase):
     """Tests of TeamModelAdmin."""