Support POST only for logout

This commit is contained in:
Christopher C. Wells 2021-12-18 17:38:08 -05:00
parent 32bfede6e2
commit 97fa8d7000
4 changed files with 23 additions and 2 deletions

View File

@ -269,7 +269,12 @@
<h6 class="dropdown-header">{% trans "User" %}</h6> <h6 class="dropdown-header">{% trans "User" %}</h6>
<a href="{% url 'babybuddy:user-settings' %}" class="dropdown-item">{% trans "Settings" %}</a> <a href="{% url 'babybuddy:user-settings' %}" class="dropdown-item">{% trans "Settings" %}</a>
<a href="{% url 'babybuddy:user-password' %}" class="dropdown-item">{% trans "Password" %}</a> <a href="{% url 'babybuddy:user-password' %}" class="dropdown-item">{% trans "Password" %}</a>
<a href="{% url 'babybuddy:logout' %}" class="dropdown-item">{% trans "Logout" %}</a> <form action="{% url 'babybuddy:logout' %}" role="form" method="post">
{% csrf_token %}
<button class="dropdown-item">
{% trans "Logout" %}
</button>
</form>
<h6 class="dropdown-header">{% trans "Site" %}</h6> <h6 class="dropdown-header">{% trans "Site" %}</h6>
<a href="{% url 'api:api-root' %}" class="dropdown-item">{% trans "API Browser" %}</a> <a href="{% url 'api:api-root' %}" class="dropdown-item">{% trans "API Browser" %}</a>
{% if request.user.is_staff %} {% if request.user.is_staff %}

View File

@ -70,3 +70,7 @@ class ViewsTestCase(TestCase):
def test_welcome(self): def test_welcome(self):
page = self.c.get('/welcome/') page = self.c.get('/welcome/')
self.assertEqual(page.status_code, 200) self.assertEqual(page.status_code, 200)
def test_logout_get_fails(self):
page = self.c.get('/logout/')
self.assertEqual(page.status_code, 405)

View File

@ -9,7 +9,7 @@ from . import views
app_patterns = [ app_patterns = [
path('login/', auth_views.LoginView.as_view(), name='login'), path('login/', auth_views.LoginView.as_view(), name='login'),
path('logout/', auth_views.LogoutView.as_view(), name='logout'), path('logout/', views.LogoutView.as_view(), name='logout'),
path( path(
'password_reset/', 'password_reset/',
auth_views.PasswordResetView.as_view(), auth_views.PasswordResetView.as_view(),

View File

@ -3,12 +3,17 @@ from django.contrib import messages
from django.contrib.auth import update_session_auth_hash from django.contrib.auth import update_session_auth_hash
from django.contrib.auth.forms import PasswordChangeForm from django.contrib.auth.forms import PasswordChangeForm
from django.contrib.auth.models import User from django.contrib.auth.models import User
from django.contrib.auth.views import LogoutView as LogoutViewBase
from django.contrib.messages.views import SuccessMessageMixin from django.contrib.messages.views import SuccessMessageMixin
from django.shortcuts import redirect, render from django.shortcuts import redirect, render
from django.urls import reverse, reverse_lazy from django.urls import reverse, reverse_lazy
from django.utils import translation from django.utils import translation
from django.utils.decorators import method_decorator
from django.utils.text import format_lazy from django.utils.text import format_lazy
from django.utils.translation import gettext as _, gettext_lazy from django.utils.translation import gettext as _, gettext_lazy
from django.views.decorators.cache import never_cache
from django.views.decorators.csrf import csrf_protect
from django.views.decorators.http import require_POST
from django.views.generic import View from django.views.generic import View
from django.views.generic.base import TemplateView, RedirectView from django.views.generic.base import TemplateView, RedirectView
from django.views.generic.edit import CreateView, UpdateView, DeleteView from django.views.generic.edit import CreateView, UpdateView, DeleteView
@ -48,6 +53,13 @@ class BabyBuddyFilterView(FilterView):
return context return context
@method_decorator(csrf_protect, name='dispatch')
@method_decorator(never_cache, name='dispatch')
@method_decorator(require_POST, name='dispatch')
class LogoutView(LogoutViewBase):
pass
class UserList(StaffOnlyMixin, BabyBuddyFilterView): class UserList(StaffOnlyMixin, BabyBuddyFilterView):
model = User model = User
template_name = 'babybuddy/user_list.html' template_name = 'babybuddy/user_list.html'