Re: [Django] #15619: Logout link should be protected
Django
------------------------------------+-------------------------------
Reporter: void | Owner: nobody
Type: Bug | Status: reopened
Milestone: 1.4 | Component: contrib.admin
Version: SVN | Severity: Normal
Resolution: | Keywords:
Triage Stage: Accepted | Has patch: 0
Needs documentation: 0 | Needs tests: 0
Patch needs improvement: 0 | Easy pickings: 0
------------------------------------+-------------------------------
Comment (by lukeplant):
In the admin we can also have some jQuery (or other javascript) code that
will change the logout link so that it does a POST to the logout view by
submitting a (dynamically generated) POST form. That would be better than
a pass through page because it requires just one HTTP request.
--
Ticket URL: <https://code.djangoproject.com/ticket/15619#comment:9>
Django <https://code.djangoproject.com/>
The Web framework for perfectionists with deadlines.
Django
Reporter: void | Owner: ashchristopher
Type: Bug | Status: new
Version: SVN | Severity: Normal
Resolution: | Keywords:
Triage Stage: Accepted | Has patch: 0
Needs documentation: 0 | Needs tests: 0
Patch needs improvement: 0 | Easy pickings: 0
------------------------------------+--------------------------------
Changes (by ashchristopher):
* status: reopened => new
* owner: nobody => ashchristopher
* ui_ux: => 0
--
Ticket URL: <https://code.djangoproject.com/ticket/15619#comment:10>
Django
------------------------------------+--------------------------------
Reporter: void | Owner: ashchristopher
Version: SVN | Severity: Normal
Resolution: | Keywords:
Triage Stage: Accepted | Has patch: 0
Needs documentation: 0 | Needs tests: 0
Patch needs improvement: 0 | Easy pickings: 0
UI/UX: 0 |
------------------------------------+--------------------------------
Changes (by ashchristopher):
* status: new => assigned
Comment:
Have this more or less working however, need a csrf token when doing the
logout in javascript. Not sure the best way to go about this. Make a call
to the url to get the csrf back then use that to submit? Not sure - seems
like a wonky idea.
--
Ticket URL: <https://code.djangoproject.com/ticket/15619#comment:11>
Django
------------------------------------+--------------------------------
Reporter: void | Owner: ashchristopher
Type: Bug | Status: assigned
Milestone: 1.4 | Component: contrib.admin
Version: SVN | Severity: Normal
Resolution: | Keywords:
Patch needs improvement: 0 | Easy pickings: 0
UI/UX: 0 |
------------------------------------+--------------------------------
Changes (by ashchristopher):
* has_patch: 0 => 1
Comment:
Added patch but still needs work - looking for feedback.
[https://code.djangoproject.com/attachment/ticket/15619/ticket15619.diff]
--
Ticket URL: <https://code.djangoproject.com/ticket/15619#comment:12>
Django
------------------------------------+--------------------------------
Reporter: void | Owner: ashchristopher
Type: Bug | Status: assigned
Milestone: 1.4 | Component: contrib.admin
Version: SVN | Severity: Normal
Resolution: | Keywords:
Triage Stage: Accepted | Has patch: 1
Needs documentation: 0 | Needs tests: 0
Patch needs improvement: 0 | Easy pickings: 0
UI/UX: 0 |
------------------------------------+--------------------------------
Comment (by tobias):
1) Why POST the form over AJAX? Can't you just put a logout form on all
admin pages that the browser submits when the logout link is clicked?
2) The logout link should still point to the logout confirmation page
unless the click event is co-opted by !JavaScript and converted into a
POST. This way the confirmation page will still come into play if someone
has !JavaScript disabled.
--
Ticket URL: <https://code.djangoproject.com/ticket/15619#comment:13>
Django
------------------------------------+--------------------------------
Reporter: void | Owner: ashchristopher
Type: Bug | Status: assigned
Milestone: 1.4 | Component: contrib.admin
Version: SVN | Severity: Normal
Resolution: | Keywords:
Triage Stage: Accepted | Has patch: 1
Needs documentation: 0 | Needs tests: 0
Patch needs improvement: 0 | Easy pickings: 0
UI/UX: 0 |
------------------------------------+--------------------------------
Comment (by PaulM):
Tobias seems to have hit it on the head. That sounds like the right
solution to me too.
--
Ticket URL: <https://code.djangoproject.com/ticket/15619#comment:14>
Django
------------------------------------+--------------------------------
Reporter: void | Owner: ashchristopher
Type: Bug | Status: assigned
Milestone: 1.4 | Component: contrib.admin
Version: SVN | Severity: Normal
Resolution: | Keywords:
Triage Stage: Accepted | Has patch: 1
Patch needs improvement: 1 | Easy pickings: 0
UI/UX: 0 |
------------------------------------+--------------------------------
Changes (by PaulM):
* needs_better_patch: 0 => 1
* needs_tests: 0 => 1
* needs_docs: 0 => 1
Comment:
It's more usual to say
{{{
if request.method = "POST"
}}}
The "are you sure you want to log out" isn't translated.
It also needs tests and documentation.
Otherwise, the method looks pretty good to me. I'd like someone who's more
familiar with the admin coding conventions than I to make the final call,
but it's about ready. Thanks for keeping at this :)
--
Ticket URL: <https://code.djangoproject.com/ticket/15619#comment:15>
Django
------------------------------------+--------------------------------
Reporter: void | Owner: ashchristopher
Type: Bug | Status: assigned
Milestone: 1.4 | Component: contrib.admin
Version: SVN | Severity: Normal
Resolution: | Keywords:
Triage Stage: Accepted | Has patch: 1
Needs documentation: 1 | Needs tests: 1
Patch needs improvement: 1 | Easy pickings: 0
UI/UX: 0 |
------------------------------------+--------------------------------
Comment (by ashchristopher):
Regression tests fail using this patch. Attempting to fix regression
tests.
--
Ticket URL: <https://code.djangoproject.com/ticket/15619#comment:16>
Django
------------------------------------+--------------------------------
Reporter: void | Owner: ashchristopher
Type: Bug | Status: assigned
Milestone: 1.4 | Component: contrib.admin
Version: SVN | Severity: Normal
Resolution: | Keywords:
Triage Stage: Accepted | Has patch: 1
UI/UX: 0 |
------------------------------------+--------------------------------
Changes (by ashchristopher):
* needs_better_patch: 1 => 0
* needs_tests: 1 => 0
* needs_docs: 1 => 0
--
Ticket URL: <https://code.djangoproject.com/ticket/15619#comment:17>
Django
------------------------------------+--------------------------------
Reporter: void | Owner: ashchristopher
Type: Bug | Status: assigned
Milestone: 1.4 | Component: contrib.admin
Version: SVN | Severity: Normal
Resolution: | Keywords:
Triage Stage: Accepted | Has patch: 1
Needs documentation: 0 | Needs tests: 0
Patch needs improvement: 0 | Easy pickings: 0
UI/UX: 0 |
------------------------------------+--------------------------------
Comment (by ashchristopher):
As per julienphalip's feedback on irc:
"it'd be good to test the actual login status after using both the POST
and GET methods. It seems the patch only looks at what template is being
used."
Suggested using:
self.assertTrue(SESSION_KEY not in self.client.session)
--
Ticket URL: <https://code.djangoproject.com/ticket/15619#comment:18>
Django
Type: Bug | Status: assigned
Severity: Normal | Resolution:
Keywords: | Triage Stage: Accepted
Has patch: 1 | Needs documentation: 0
Changes (by anonymous):
* needs_better_patch: 0 => 1
Comment:
setting patch needs improvement per comment 18
--
Ticket URL: <https://code.djangoproject.com/ticket/15619#comment:20>
Django
-------------------------------+------------------------------------------
Reporter: void | Owner: ashchristopher
Type: Bug | Status: assigned
Keywords: | Triage Stage: Accepted
Has patch: 1 | Needs documentation: 0
Needs tests: 0 | Patch needs improvement: 1
Easy pickings: 0 | UI/UX: 0
-------------------------------+------------------------------------------
Comment (by ashchristopher):
Beginning work on this patch again.
--
Ticket URL: <https://code.djangoproject.com/ticket/15619#comment:21>
Django
-------------------------------+------------------------------------------
Reporter: void | Owner: ashchristopher
Type: Bug | Status: assigned
Component: contrib.admin | Version: master
Severity: Normal | Resolution:
Keywords: | Triage Stage: Accepted
Has patch: 1 | Needs documentation: 0
Needs tests: 0 | Patch needs improvement: 1
Easy pickings: 0 | UI/UX: 0
-------------------------------+------------------------------------------
Comment (by ashchristopher):
Talking to julienphalip on #django-dev - we are going to look at getting
ModelAdmin.media() to return only the js files needed for a given view.
This may require changing ModelAdmin.media() to be a method that takes
arguments, rather than staying as a property.
--
Ticket URL: <https://code.djangoproject.com/ticket/15619#comment:22>
Django
-------------------------------+------------------------------------------
Reporter: void | Owner: ashchristopher
Type: Bug | Status: assigned
Component: contrib.admin | Version: master
Severity: Normal | Resolution:
Keywords: | Triage Stage: Accepted
Has patch: 1 | Needs documentation: 0
Needs tests: 0 | Patch needs improvement: 1
Easy pickings: 0 | UI/UX: 0
-------------------------------+------------------------------------------
Comment (by aaugustin):
#7989 was a duplicate.
--
Ticket URL: <https://code.djangoproject.com/ticket/15619#comment:23>
Django
-------------------------------+------------------------------------------
Reporter: void | Owner: ashchristopher
Type: Bug | Status: assigned
Component: contrib.admin | Version: master
Severity: Normal | Resolution:
Keywords: | Triage Stage: Accepted
Has patch: 1 | Needs documentation: 0
Needs tests: 0 | Patch needs improvement: 1
Easy pickings: 0 | UI/UX: 0
-------------------------------+------------------------------------------
* cc: vlastimil.zima@… (added)
--
Ticket URL: <https://code.djangoproject.com/ticket/15619#comment:24>
Django
-------------------------------+------------------------------------------
Reporter: void | Owner: ashchristopher
Type: Bug | Status: assigned
Component: contrib.admin | Version: master
Severity: Normal | Resolution:
Keywords: | Triage Stage: Accepted
Has patch: 1 | Needs documentation: 0
Needs tests: 0 | Patch needs improvement: 1
Easy pickings: 0 | UI/UX: 0
-------------------------------+------------------------------------------
Comment (by vzima):
Replying to [comment:3 lukeplant]:
> The point Russell was making was that 'SHOULD NOT' is not the same as
'MUST NOT'. In practice, while being logged out by a 3rd party might be a
nuisance, in general the attackers will gain extremely little except ill-
will, and therefore there is little motivation to exploit this, and fairly
trivial consequences if they do.
Really?
[[Image(https://code.djangoproject.com/logout)]]
--
Ticket URL: <https://code.djangoproject.com/ticket/15619#comment:25>
Django
-------------------------------+------------------------------------------
Reporter: void | Owner: ashchristopher
Type: Bug | Status: assigned
Component: contrib.admin | Version: master
Severity: Normal | Resolution:
Keywords: | Triage Stage: Accepted
Has patch: 1 | Needs documentation: 0
Needs tests: 0 | Patch needs improvement: 1
Easy pickings: 0 | UI/UX: 0
-------------------------------+------------------------------------------
Comment (by aaugustin):
Congratulations, you've proved you like wasting our time.
Don't be surprised if your comments are ignored from now on.
By the way, this isn't even an proof-of-concept against Django, it's
against Trac.
--
Ticket URL: <https://code.djangoproject.com/ticket/15619#comment:26>
Django
-------------------------------+------------------------------------------
Reporter: void | Owner: ashchristopher
Type: Bug | Status: assigned
Component: contrib.admin | Version: master
Severity: Normal | Resolution:
Keywords: | Triage Stage: Accepted
Has patch: 1 | Needs documentation: 0
Needs tests: 0 | Patch needs improvement: 1
Easy pickings: 0 | UI/UX: 0
-------------------------------+------------------------------------------
Comment (by vzima):
Replying to [comment:26 aaugustin]:
> Congratulations, you've proved you like wasting our time.
>
> Don't be surprised if your comments are ignored from now on.
>
> By the way, this isn't even an proof-of-concept against Django, it's
against Trac.
It is the same problem in Django as is in Trac. It would be very easy to
add a lot fake images to whatever site powered by Django, some are listed
at Django homepage. Or Django Project admin itself :)
{{{
[[Image(https://www.djangoproject.com/admin/logout/)]]
}}}
--
Ticket URL: <https://code.djangoproject.com/ticket/15619#comment:27>
Django
-------------------------------+------------------------------------------
Reporter: void | Owner: ashchristopher
Type: Bug | Status: assigned
Component: contrib.admin | Version: master
Severity: Normal | Resolution:
Keywords: | Triage Stage: Accepted
Has patch: 1 | Needs documentation: 0
Needs tests: 0 | Patch needs improvement: 1
Easy pickings: 0 | UI/UX: 0
-------------------------------+------------------------------------------
* cc: raymond.penners@… (added)
--
Ticket URL: <https://code.djangoproject.com/ticket/15619#comment:28>
Django
-------------------------------+------------------------------------------
Reporter: void | Owner: ashchristopher
Type: Bug | Status: assigned
Component: contrib.admin | Version: master
Severity: Normal | Resolution:
Keywords: | Triage Stage: Accepted
Has patch: 1 | Needs documentation: 0
Needs tests: 0 | Patch needs improvement: 1
Easy pickings: 0 | UI/UX: 0
-------------------------------+------------------------------------------
Comment (by lukeplant):
Replying to [comment:27 vzima]:
> It is the same problem in Django as is in Trac. It would be very easy to
add a lot fake images to whatever site powered by Django, some are listed
at Django homepage. Or Django Project admin itself :)
Please stop arguing with us when we already agree with you. See comment
number 4, which is after mine.
--
Ticket URL: <https://code.djangoproject.com/ticket/15619#comment:29>
Django
-------------------------------+------------------------------------------
Reporter: void | Owner: ashchristopher
Type: Bug | Status: assigned
Component: contrib.admin | Version: master
Severity: Normal | Resolution:
Keywords: | Triage Stage: Accepted
Has patch: 1 | Needs documentation: 0
Needs tests: 0 | Patch needs improvement: 1
Easy pickings: 0 | UI/UX: 0
-------------------------------+------------------------------------------
Comment (by vzima):
Replying to [comment:29 lukeplant]:
> Replying to [comment:27 vzima]:
>
> > It is the same problem in Django as is in Trac. It would be very easy
to add a lot fake images to whatever site powered by Django, some are
listed at Django homepage. Or Django Project admin itself :)
>
> Please stop arguing with us when we already agree with you. See comment
number 4, which is after mine.
My main point is that this ticket should be closed as soon as possible
because the bug has security consequences. The bug is opened 2 years and
it does not seem its patch will be included into 1.5 either. The last
patch probably requires no update except comment:18 and then it got stuck.
Anyway, based on last patch from ashchristopher I created a github branch
https://github.com/vzima/django/tree/15619-protected-logout with updated
patch which considers comment:18.
Also I moved the base code from admin logout to auth logout so logouts are
protected also outside of admin application.
Feedback welcome, so we can finally close this issue.
--
Ticket URL: <https://code.djangoproject.com/ticket/15619#comment:30>
Django
-------------------------------+------------------------------------------
Reporter: void | Owner: ashchristopher
Type: Bug | Status: assigned
Component: contrib.admin | Version: master
Severity: Normal | Resolution:
Keywords: | Triage Stage: Accepted
Has patch: 1 | Needs documentation: 0
Needs tests: 0 | Patch needs improvement: 1
Easy pickings: 0 | UI/UX: 0
-------------------------------+------------------------------------------
* cc: csrf.django@… (added)
--
Ticket URL: <https://code.djangoproject.com/ticket/15619#comment:31>
Django
------------------------------+------------------------------------------
Reporter: void | Owner: ashchristopher
Type: Bug | Status: assigned
Severity: Normal | Resolution:
Keywords: | Triage Stage: Accepted
Needs tests: 0 | Patch needs improvement: 1
Easy pickings: 0 | UI/UX: 0
Changes (by erikr):
* cc: eromijn@… (added)
* needs_docs: 0 => 1
* component: contrib.admin => contrib.auth
Comment:
The patch no longer applies cleanly and an update for the contrib.auth
documentation is not included. A change like this also belongs in the
release notes, as it causes a backwards incompatibility.
--
Ticket URL: <https://code.djangoproject.com/ticket/15619#comment:32>
Django
------------------------------+------------------------------------------
Reporter: void | Owner: ashchristopher
Type: Bug | Status: assigned
Component: contrib.auth | Version: master
Severity: Normal | Resolution:
Keywords: | Triage Stage: Accepted
Needs tests: 0 | Patch needs improvement: 0
Easy pickings: 0 | UI/UX: 0
------------------------------+------------------------------------------
* needs_better_patch: 1 => 0
* needs_docs: 1 => 0
Comment:
I’ve added the documentation and made a few changes to vzima’s patch:
https://github.com/django/django/pull/1934
--
Ticket URL: <https://code.djangoproject.com/ticket/15619#comment:33>
Django
------------------------------+------------------------------------------
Reporter: void | Owner: ashchristopher
Type: Bug | Status: assigned
Component: contrib.auth | Version: master
Severity: Normal | Resolution:
Keywords: | Triage Stage: Accepted
Has patch: 1 | Needs documentation: 0
Needs tests: 0 | Patch needs improvement: 0
Easy pickings: 0 | UI/UX: 0
------------------------------+------------------------------------------
* cc: unai@… (added)
Comment:
Patch LGTM
--
Ticket URL: <https://code.djangoproject.com/ticket/15619#comment:34>
Django
------------------------------+------------------------------------------
Reporter: void | Owner: ashchristopher
Type: Bug | Status: assigned
Component: contrib.auth | Version: master
Severity: Normal | Resolution:
Keywords: | Triage Stage: Accepted
Has patch: 1 | Needs documentation: 0
Needs tests: 0 | Patch needs improvement: 0
Easy pickings: 0 | UI/UX: 0
------------------------------+------------------------------------------
Comment (by vzima):
For a few days I have the branch on work, but KJ was a bit faster :) I
provide my pull as well, I found there few things differ, though I
replaced logout link with form as well.
https://github.com/django/django/pull/1963
--
Ticket URL: <https://code.djangoproject.com/ticket/15619#comment:35>
Django
------------------------------+------------------------------------------
Reporter: void | Owner: ashchristopher
Type: Bug | Status: assigned
Component: contrib.auth | Version: master
Severity: Normal | Resolution:
Keywords: | Triage Stage: Accepted
Has patch: 1 | Needs documentation: 0
Easy pickings: 0 | UI/UX: 0
------------------------------+------------------------------------------
* needs_better_patch: 0 => 1
Comment:
I'd rather note this here, in case it gets lost on github: KJ didn't fix
the logout links in password change templates.
--
Ticket URL: <https://code.djangoproject.com/ticket/15619#comment:36>
Django
------------------------------+------------------------------------------
Reporter: void | Owner: ashchristopher
Type: Bug | Status: assigned
Component: contrib.auth | Version: master
Severity: Normal | Resolution:
Keywords: | Triage Stage: Accepted
Has patch: 1 | Needs documentation: 0
Needs tests: 0 | Patch needs improvement: 1
Easy pickings: 0 | UI/UX: 0
------------------------------+------------------------------------------
Changes (by vzima):
* cc: vlastimil@… (added)
--
Ticket URL: <https://code.djangoproject.com/ticket/15619#comment:37>
Django
------------------------------+------------------------------------------
Reporter: void | Owner: ashchristopher
Type: Bug | Status: assigned
Component: contrib.auth | Version: master
Severity: Normal | Resolution:
Keywords: | Triage Stage: Accepted
Has patch: 1 | Needs documentation: 0
Needs tests: 0 | Patch needs improvement: 1
Easy pickings: 0 | UI/UX: 0
------------------------------+------------------------------------------
Comment (by loic84):
The `input` that masquerades as an anchor doesn't render all that well
across various browsers, also it'll break for people with custom CSS.
I would replace it with `<a href="/admin/logout/" id="logout-link">` and a
jQuery click handler along those lines:
{{{#!javascript
$('#logout-link').click(function() {
$(this).parents('form').submit();
})
}}}
People without JS can still logout because the `href` points to the
intermediary page.
--
Ticket URL: <https://code.djangoproject.com/ticket/15619#comment:38>
Django
------------------------------+------------------------------------------
Reporter: void | Owner: ashchristopher
Type: Bug | Status: assigned
Component: contrib.auth | Version: master
Severity: Normal | Resolution:
Keywords: | Triage Stage: Accepted
Has patch: 1 | Needs documentation: 0
Needs tests: 0 | Patch needs improvement: 1
Easy pickings: 0 | UI/UX: 0
------------------------------+------------------------------------------
Comment (by vzima):
Replying to [comment:38 loic84]:
> The `input` that masquerades as an anchor doesn't render all that well
across various browsers, also it'll break for people with custom CSS.
We could also keep the form and style the button as a button.
--
Ticket URL: <https://code.djangoproject.com/ticket/15619#comment:39>
Django
------------------------------+------------------------------------------
Reporter: void | Owner: ashchristopher
Type: Bug | Status: assigned
Component: contrib.auth | Version: master
Severity: Normal | Resolution:
Keywords: | Triage Stage: Accepted
Has patch: 1 | Needs documentation: 0
Needs tests: 0 | Patch needs improvement: 1
Easy pickings: 0 | UI/UX: 0
------------------------------+------------------------------------------
* cc: Gwildor (added)
--
Ticket URL: <https://code.djangoproject.com/ticket/15619#comment:40>
Django
------------------------------+------------------------------------------
Reporter: void | Owner: ashchristopher
Type: Bug | Status: assigned
Component: contrib.auth | Version: master
Severity: Normal | Resolution:
Keywords: | Triage Stage: Accepted
Has patch: 1 | Needs documentation: 0
Needs tests: 0 | Patch needs improvement: 1
Easy pickings: 0 | UI/UX: 0
------------------------------+------------------------------------------
Comment (by collinanderson):
https://groups.google.com/d/topic/django-developers/MmFzCq8oB5I/discussion
--
Ticket URL: <https://code.djangoproject.com/ticket/15619#comment:41>
Django
------------------------------+------------------------------------
Type: Bug | Status: new
Component: contrib.auth | Version: master
Severity: Normal | Resolution:
Keywords: | Triage Stage: Accepted
Has patch: 1 | Needs documentation: 0
Needs tests: 0 | Patch needs improvement: 1
Easy pickings: 0 | UI/UX: 0
------------------------------+------------------------------------
* owner: ashchristopher =>
* status: assigned => new
--
Ticket URL: <https://code.djangoproject.com/ticket/15619#comment:42>
Django
Reporter: Alexey Boriskin | Owner: Ramiro
| Morales
Type: Bug | Status: assigned
Component: contrib.auth | Version: master
Severity: Normal | Resolution:
Keywords: | Triage Stage: Accepted
Has patch: 1 | Needs documentation: 0
Needs tests: 0 | Patch needs improvement: 1
Easy pickings: 0 | UI/UX: 0
Changes (by Ramiro Morales):
* owner: (none) => Ramiro Morales
* status: new => assigned
--
Ticket URL: <https://code.djangoproject.com/ticket/15619#comment:43>
Django
-------------------------------------+-------------------------------------
| Fleschenberg
Type: Bug | Status: assigned
Component: contrib.auth | Version: master
Severity: Normal | Resolution:
Keywords: | Triage Stage: Accepted
Needs tests: 0 | Patch needs improvement: 0
Easy pickings: 0 | UI/UX: 0
-------------------------------------+-------------------------------------
* owner: Ramiro Morales => René Fleschenberg
* needs_better_patch: 1 => 0
* has_patch: 1 => 0
* needs_docs: 0 => 1
--
Ticket URL: <https://code.djangoproject.com/ticket/15619#comment:44>
Django
-------------------------------------+-------------------------------------
Reporter: Alexey Boriskin | Owner: René
| Fleschenberg
Type: Bug | Status: assigned
Component: contrib.auth | Version: master
Severity: Normal | Resolution:
Keywords: | Triage Stage: Accepted
Needs tests: 0 | Patch needs improvement: 0
Easy pickings: 0 | UI/UX: 0
-------------------------------------+-------------------------------------
Changes (by René Fleschenberg):
* has_patch: 0 => 1
Comment:
As a first step, I suggest deprecating logout via GET.
PR: https://github.com/django/django/pull/12504
--
Ticket URL: <https://code.djangoproject.com/ticket/15619#comment:45>
Django
-------------------------------------+-------------------------------------
Reporter: Alexey Boriskin | Owner: René
| Fleschenberg
Type: Bug | Status: assigned
Severity: Normal | Resolution:
Keywords: | Triage Stage: Accepted
Has patch: 1 | Needs documentation: 1
Needs tests: 0 | Patch needs improvement: 0
Easy pickings: 0 | UI/UX: 0
-------------------------------------+-------------------------------------
Comment (by GitHub <noreply@…>):
In [changeset:"94d8ed55fa8e181b98f818a1b2805c66943cfeec" 94d8ed55]:
{{{
#!CommitTicketReference repository=""
revision="94d8ed55fa8e181b98f818a1b2805c66943cfeec"
Refs #15619 -- Logged out with POST requests in admin.
}}}
--
Ticket URL: <https://code.djangoproject.com/ticket/15619#comment:46>
Django
-------------------------------------+-------------------------------------
Reporter: Alexey Boriskin | Owner: René
Cleanup/optimization | Status: assigned
Component: contrib.auth | Version: dev
Severity: Normal | Resolution:
| checkin
Has patch: 1 | Needs documentation: 0
Needs tests: 0 | Patch needs improvement: 0
Easy pickings: 0 | UI/UX: 0
-------------------------------------+-------------------------------------
* needs_docs: 1 => 0
* type: Bug => Cleanup/optimization
* stage: Accepted => Ready for checkin
--
Ticket URL: <https://code.djangoproject.com/ticket/15619#comment:47>
Django
-------------------------------------+-------------------------------------
Reporter: Alexey Boriskin | Owner: René
Type: | Fleschenberg
Component: contrib.auth | Version: dev
Severity: Normal | Resolution: fixed
Keywords: | Triage Stage: Ready for
| checkin
Has patch: 1 | Needs documentation: 0
Needs tests: 0 | Patch needs improvement: 0
Easy pickings: 0 | UI/UX: 0
-------------------------------------+-------------------------------------
* status: assigned => closed
* resolution: => fixed
Comment:
In [changeset:"eb07b5be0ce7c51938ed9b00bae04ebe9a75110c" eb07b5be]:
{{{
#!CommitTicketReference repository=""
revision="eb07b5be0ce7c51938ed9b00bae04ebe9a75110c"
Fixed #15619 -- Deprecated log out via GET requests.
Thanks Florian Apolloner for the implementation idea.
Co-Authored-By: Mariusz Felisiak <felisiak...@gmail.com>
}}}
--
Ticket URL: <https://code.djangoproject.com/ticket/15619#comment:48>
Django
-------------------------------------+-------------------------------------
Reporter: Alexey Boriskin | Owner: René
Type: | Fleschenberg
Cleanup/optimization | Status: closed
Component: contrib.auth | Version: dev
Severity: Normal | Resolution: fixed
Keywords: | Triage Stage: Ready for
| checkin
Has patch: 1 | Needs documentation: 0
Needs tests: 0 | Patch needs improvement: 0
Easy pickings: 0 | UI/UX: 0
-------------------------------------+-------------------------------------
Comment (by Michael):
Something that maybe more likely than XSS logout attack... is if some not
tech savy user clicks back, or navigates to the logged out url, and sees
the message "You are logged out", and thinks they are logged out now, and
its safe to close the browser, but actually since Logout only happens via
POST now, they are actually still logged in. Yes one can mitagate the
issue with some javascript on the logged out page, but maybe the average
developer might miss this point when reading:
https://docs.djangoproject.com/en/dev/releases/4.1/#log-out-via-get
--
Ticket URL: <https://code.djangoproject.com/ticket/15619#comment:49>
Django
-------------------------------------+-------------------------------------
Reporter: Alexey Boriskin | Owner: René
Type: | Fleschenberg
Cleanup/optimization | Status: closed
Component: contrib.auth | Version: dev
Severity: Normal | Resolution: fixed
Keywords: | Triage Stage: Ready for
| checkin
Has patch: 1 | Needs documentation: 0
Needs tests: 0 | Patch needs improvement: 0
Easy pickings: 0 | UI/UX: 0
-------------------------------------+-------------------------------------
Comment (by Mariusz Felisiak <felisiak.mariusz@…>):
In [changeset:"9a01311d204ebf23e615a0802cedcc7b6b373826" 9a01311d]:
{{{
#!CommitTicketReference repository=""
revision="9a01311d204ebf23e615a0802cedcc7b6b373826"
Refs #15619 -- Removed support for logging out via GET requests.
Per deprecation timeline.
}}}
--
Ticket URL: <https://code.djangoproject.com/ticket/15619#comment:50>
Django
-------------------------------------+-------------------------------------
Reporter: Alexey Boriskin | Owner: René
Type: | Fleschenberg
Cleanup/optimization | Status: closed
Component: contrib.auth | Version: dev
Severity: Normal | Resolution: fixed
Keywords: | Triage Stage: Ready for
| checkin
Has patch: 1 | Needs documentation: 0
Needs tests: 0 | Patch needs improvement: 0
Easy pickings: 0 | UI/UX: 0
-------------------------------------+-------------------------------------
Comment (by GitHub <noreply@…>):
In [changeset:"e2a3a896cf0825a2da2347773c79ba7a341fe392" e2a3a896]:
{{{
#!CommitTicketReference repository=""
revision="e2a3a896cf0825a2da2347773c79ba7a341fe392"
Refs #15619 -- Removed deprecated annotation about logging out via GET
requests.
Follow up to 6c57c08ae52f86df843fccb5a3c1c6c45a10a26f.
}}}
--
Ticket URL: <https://code.djangoproject.com/ticket/15619#comment:51>