encode/django-rest-framework
1
1
Fork 0
mirror of https://github.com/encode/django-rest-framework.git synced 2025-11-04 01:47:59 +03:00
Code Issues Packages Projects Releases Wiki Activity

Use POST method instead of GET to perform logout in browsable API (#9208)

Browse Source 
* Use POST method instead of GET to perform logout in browsable API

* Add a test that checks the presence of the logout form
This commit is contained in:
şuayip üzülmez 2024-02-20 01:28:04 +03:00 committed by GitHub
parent df89f32b88
commit 2ef77b1833
No known key found for this signature in database
GPG Key ID: B5690EEEBB952194
4 changed files with 17 additions and 6 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
rest_framework/templates/rest_framework/admin.html
View File

@ -42,7 +42,7 @@
<ul class="nav navbar-nav pull-right"> <ul class="nav navbar-nav pull-right">
{% block userlinks %} {% block userlinks %}
{% if user.is_authenticated %} {% if user.is_authenticated %}
{% optional_logout request user %} {% optional_logout request user csrf_token %}
{% else %} {% else %}
{% optional_login request %} {% optional_login request %}
{% endif %} {% endif %}

2
rest_framework/templates/rest_framework/base.html
View File

@ -46,7 +46,7 @@
<ul class="nav navbar-nav pull-right"> <ul class="nav navbar-nav pull-right">
{% block userlinks %} {% block userlinks %}
{% if user.is_authenticated %} {% if user.is_authenticated %}
{% optional_logout request user %} {% optional_logout request user csrf_token %}
{% else %} {% else %}
{% optional_login request %} {% optional_login request %}
{% endif %} {% endif %}

13
rest_framework/templatetags/rest_framework.py
View File

@ -119,7 +119,7 @@ def optional_docs_login(request):
@register.simple_tag @register.simple_tag
def optional_logout(request, user): def optional_logout(request, user, csrf_token):
""" """
Include a logout snippet if REST framework's logout view is in the URLconf. Include a logout snippet if REST framework's logout view is in the URLconf.
""" """
@ -135,11 +135,16 @@ def optional_logout(request, user):
<b class="caret"></b> <b class="caret"></b>
</a> </a>
<ul class="dropdown-menu"> <ul class="dropdown-menu">
<li><a href='{href}?next={next}'>Log out</a></li> <form id="logoutForm" method="post" action="{href}?next={next}">
<input type="hidden" name="csrfmiddlewaretoken" value="{csrf_token}">
</form>
<li>
<a href="#" onclick='document.getElementById("logoutForm").submit()'>Log out</a>
</li>
</ul> </ul>
</li>""" </li>"""
snippet = format_html(snippet, user=escape(user), href=logout_url, next=escape(request.path)) snippet = format_html(snippet, user=escape(user), href=logout_url,
next=escape(request.path), csrf_token=csrf_token)
return mark_safe(snippet) return mark_safe(snippet)

6
tests/browsable_api/test_browsable_api.py
View File

@ -65,6 +65,12 @@ class DropdownWithAuthTests(TestCase):
content = response.content.decode() content = response.content.decode()
assert '>Log in<' in content assert '>Log in<' in content
def test_dropdown_contains_logout_form(self):
self.client.login(username=self.username, password=self.password)
response = self.client.get('/')
content = response.content.decode()
assert '<form id="logoutForm" method="post" action="/auth/logout/?next=/">' in content
@override_settings(ROOT_URLCONF='tests.browsable_api.no_auth_urls') @override_settings(ROOT_URLCONF='tests.browsable_api.no_auth_urls')
class NoDropdownWithoutAuthTests(TestCase): class NoDropdownWithoutAuthTests(TestCase):