Support POST only for logout

babybuddy/templates/babybuddy/nav-dropdown.html

@@ -269,7 +269,12 @@
                                 <h6 class="dropdown-header">{% trans "User" %}</h6>
                                 <a href="{% url 'babybuddy:user-settings' %}" class="dropdown-item">{% trans "Settings" %}</a>
                                 <a href="{% url 'babybuddy:user-password' %}" class="dropdown-item">{% trans "Password" %}</a>
-                                <a href="{% url 'babybuddy:logout' %}" class="dropdown-item">{% trans "Logout" %}</a>
+                                <form action="{% url 'babybuddy:logout' %}" role="form" method="post">
+                                    {% csrf_token %}
+                                    <button class="dropdown-item">
+                                        {% trans "Logout" %}
+                                    </button>
+                                </form>
                                 <h6 class="dropdown-header">{% trans "Site" %}</h6>
                                 <a href="{% url 'api:api-root' %}" class="dropdown-item">{% trans "API Browser" %}</a>
                                 {% if request.user.is_staff %}

babybuddy/tests/tests_views.py

@@ -70,3 +70,7 @@ class ViewsTestCase(TestCase):
     def test_welcome(self):
         page = self.c.get('/welcome/')
         self.assertEqual(page.status_code, 200)
+
+    def test_logout_get_fails(self):
+        page = self.c.get('/logout/')
+        self.assertEqual(page.status_code, 405)

babybuddy/urls.py

@@ -9,7 +9,7 @@ from . import views
 
 app_patterns = [
     path('login/', auth_views.LoginView.as_view(), name='login'),
-    path('logout/', auth_views.LogoutView.as_view(), name='logout'),
+    path('logout/', views.LogoutView.as_view(), name='logout'),
     path(
         'password_reset/',
         auth_views.PasswordResetView.as_view(),

babybuddy/views.py

@@ -3,12 +3,17 @@ from django.contrib import messages
 from django.contrib.auth import update_session_auth_hash
 from django.contrib.auth.forms import PasswordChangeForm
 from django.contrib.auth.models import User
+from django.contrib.auth.views import LogoutView as LogoutViewBase
 from django.contrib.messages.views import SuccessMessageMixin
 from django.shortcuts import redirect, render
 from django.urls import reverse, reverse_lazy
 from django.utils import translation
+from django.utils.decorators import method_decorator
 from django.utils.text import format_lazy
 from django.utils.translation import gettext as _, gettext_lazy
+from django.views.decorators.cache import never_cache
+from django.views.decorators.csrf import csrf_protect
+from django.views.decorators.http import require_POST
 from django.views.generic import View
 from django.views.generic.base import TemplateView, RedirectView
 from django.views.generic.edit import CreateView, UpdateView, DeleteView
@@ -48,6 +53,13 @@ class BabyBuddyFilterView(FilterView):
         return context
 
 
+@method_decorator(csrf_protect, name='dispatch')
+@method_decorator(never_cache, name='dispatch')
+@method_decorator(require_POST, name='dispatch')
+class LogoutView(LogoutViewBase):
+    pass
+
+
 class UserList(StaffOnlyMixin, BabyBuddyFilterView):
     model = User
     template_name = 'babybuddy/user_list.html'