Status of #15619: logout via POST, but not GET

[Tim Chase]

I've had a couple cases where browser link pre-fetching triggered
an unintended logout from my Django app (I haven't fully tracked down
the exact combination of triggering conditions, but I suspect they
similar to Israel Brewster's CherryPy issue mentioned on
comp.lang.python [1]) and was surprised that Django suffered the same
issue.

Researching, I found https://code.djangoproject.com/ticket/15619
but see that it was last modified ~10mo ago, having been opened ~4yrs
ago. The current (development HEAD from git) versions of

django/contrib/auth/views.py:logout()
django/contrib/auth/__init__.py:logout()

still don't seem to contain any checks to ensure logouts can only
happen via POST rather than GET requests.

Is there any movement forward on resolving this so my browser
doesn't inconveniently boot me from the app when I don't intend to
log out?

-tkc

[1]
https://mail.python.org/pipermail/python-list/2014-December/682106.html






.

[Tim Graham]

Hi Tim,

There's an open pull request, but it was opened over a year ago and has gone stale. Maybe you'd like to review and update it.

You can use the patch review checklist:

https://docs.djangoproject.com/en/dev/internals/contributing/writing-code/submitting-patches/#patch-review-checklist

If you are happy with the patch after that, please mark the ticket as "ready for checkin" for a final review from a core developer.

Thanks!
Tim

[Curtis Maloney]

Wasn't there a PR to turn all the auth views to CBV?

That would implicitly enforce the behaviour to POST-only, I would hope.

--

Curtis

--
You received this message because you are subscribed to the Google Groups "Django developers (Contributions to Django itself)" group.
To unsubscribe from this group and stop receiving emails from it, send an email to django-develop...@googlegroups.com.
To post to this group, send email to django-d...@googlegroups.com.
Visit this group at http://groups.google.com/group/django-developers.

To view this discussion on the web visit https://groups.google.com/d/msgid/django-developers/c888627a-d1da-4755-ad77-055b7837c2e2%40googlegroups.com.

For more options, visit https://groups.google.com/d/optout.

[Tim Graham]

I think you're thinking of https://code.djangoproject.com/ticket/17209. The latest patch appears to allow logout via GET, but even it enforced POST, there are still client-side (template) updates required to turn the logout links into form submissions so I think it should be considered an independent task (I may be missing your reasoning).

[Marc Tamlyn]

From a brief look, the changes in the pull request do not appear to consider backwards compatibility at all, which would be important.

The argument that it's ok because it would now just show a confirmation page is insufficient as if someone had built a confirmation page there would now be two. Also it requires every user to ensure such a confirmation page fits the look of their website.

A possible solution would be to introduce a new view (logout_confirm) which describes the new behaviour and throw deprecation warnings on the old logout view.

In my opinion this change is not worth the backwards incompatibility.

To view this discussion on the web visit https://groups.google.com/d/msgid/django-developers/03ade6e9-457c-4d17-a4bf-542bfed0ef4c%40googlegroups.com.

[Collin Anderson]

I was just thinking about this. I agree that a GET causing logout is wrong, and we need to not break things and I agree we need to keep the original view untouched so we don't break anything. _maybe_ deprecate it. The admin could begin using the new view right away.

On Wednesday, December 3, 2014 5:02:42 PM UTC-5, Tim Chase wrote: