Support POST only for logout

This commit is contained in:
Christopher C. Wells 2021-12-18 17:38:08 -05:00
parent 32bfede6e2
commit 97fa8d7000
4 changed files with 23 additions and 2 deletions

View File

@ -269,7 +269,12 @@
<h6 class="dropdown-header">{% trans "User" %}</h6>
<a href="{% url 'babybuddy:user-settings' %}" class="dropdown-item">{% trans "Settings" %}</a>
<a href="{% url 'babybuddy:user-password' %}" class="dropdown-item">{% trans "Password" %}</a>
<a href="{% url 'babybuddy:logout' %}" class="dropdown-item">{% trans "Logout" %}</a>
<form action="{% url 'babybuddy:logout' %}" role="form" method="post">
{% csrf_token %}
<button class="dropdown-item">
{% trans "Logout" %}
</button>
</form>
<h6 class="dropdown-header">{% trans "Site" %}</h6>
<a href="{% url 'api:api-root' %}" class="dropdown-item">{% trans "API Browser" %}</a>
{% if request.user.is_staff %}

View File

@ -70,3 +70,7 @@ class ViewsTestCase(TestCase):
def test_welcome(self):
page = self.c.get('/welcome/')
self.assertEqual(page.status_code, 200)
def test_logout_get_fails(self):
page = self.c.get('/logout/')
self.assertEqual(page.status_code, 405)

View File

@ -9,7 +9,7 @@ from . import views
app_patterns = [
path('login/', auth_views.LoginView.as_view(), name='login'),
path('logout/', auth_views.LogoutView.as_view(), name='logout'),
path('logout/', views.LogoutView.as_view(), name='logout'),
path(
'password_reset/',
auth_views.PasswordResetView.as_view(),

View File

@ -3,12 +3,17 @@ from django.contrib import messages
from django.contrib.auth import update_session_auth_hash
from django.contrib.auth.forms import PasswordChangeForm
from django.contrib.auth.models import User
from django.contrib.auth.views import LogoutView as LogoutViewBase
from django.contrib.messages.views import SuccessMessageMixin
from django.shortcuts import redirect, render
from django.urls import reverse, reverse_lazy
from django.utils import translation
from django.utils.decorators import method_decorator
from django.utils.text import format_lazy
from django.utils.translation import gettext as _, gettext_lazy
from django.views.decorators.cache import never_cache
from django.views.decorators.csrf import csrf_protect
from django.views.decorators.http import require_POST
from django.views.generic import View
from django.views.generic.base import TemplateView, RedirectView
from django.views.generic.edit import CreateView, UpdateView, DeleteView
@ -48,6 +53,13 @@ class BabyBuddyFilterView(FilterView):
return context
@method_decorator(csrf_protect, name='dispatch')
@method_decorator(never_cache, name='dispatch')
@method_decorator(require_POST, name='dispatch')
class LogoutView(LogoutViewBase):
pass
class UserList(StaffOnlyMixin, BabyBuddyFilterView):
model = User
template_name = 'babybuddy/user_list.html'