Uh oh!
There was an error while loading.Please reload this page.
- Notifications
You must be signed in to change notification settings - Fork7k
Use POST method instead of GET to perform logout in browsable API#9208
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to ourterms of service andprivacy statement. We’ll occasionally send you account related emails.
Already on GitHub?Sign in to your account
Uh oh!
There was an error while loading.Please reload this page.
Conversation
| <input type="hidden" name="csrfmiddlewaretoken" value="{csrf_token}"> | ||
| </form> | ||
| <li> | ||
| <a href="#" onclick='document.getElementById("logoutForm").submit()'>Log out</a> |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others.Learn more.
not sure, but should this href use #?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others.Learn more.
Since it immediately redirects the user tonext, it should not be a problem?
Alternatives:
We could remove the href. In that case, we would need to add inline css so that cursor would be pointer. Also we'll probably need to add
role="button"for improved semantics for screen readers.We could set
nextas href. Although I'm not sure how it would behave. We may need to callpreventDefault.
I'm refraining from using<button> here since it would require a bit of CSS juggling.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others.Learn more.
It's a pretty standard pattern I think, seems okay to me.
| </li>""" | ||
| snippet=format_html(snippet,user=escape(user),href=logout_url,next=escape(request.path)) | ||
| snippet=format_html(snippet,user=escape(user),href=logout_url, |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others.Learn more.
is it possible to update the tests a bit to verify it is working and not creating any regression?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others.Learn more.
It appears that usingPOST for logout has been available from the start (for the view we are using at least). So as long as we get the form action and CSRF right, it should be fine.
I added a test that specifically checks for the form declaration. If you had something other in your mind, let me know.
Description
Fixes#9206