Use POST method instead of GET to perform logout in browsable API

2025-07-16 19:22:24 +03:00 · 2024-01-03 23:04:05 +03:00 · 2024-01-03 23:04:05 +03:00 · edeabb1546
commit edeabb1546
parent 0f39e0124d
3 changed files with 11 additions and 6 deletions
--- a/rest_framework/templates/rest_framework/admin.html
+++ b/rest_framework/templates/rest_framework/admin.html
@ -42,7 +42,7 @@
                <ul class="nav navbar-nav pull-right">
                  {% block userlinks %}
                    {% if user.is_authenticated %}
-                      {% optional_logout request user %}
+                      {% optional_logout request user csrf_token %}
                    {% else %}
                      {% optional_login request %}
                    {% endif %}
--- a/rest_framework/templates/rest_framework/base.html
+++ b/rest_framework/templates/rest_framework/base.html
@ -46,7 +46,7 @@
            <ul class="nav navbar-nav pull-right">
              {% block userlinks %}
                {% if user.is_authenticated %}
-                  {% optional_logout request user %}
+                  {% optional_logout request user csrf_token %}
                {% else %}
                  {% optional_login request %}
                {% endif %}
--- a/rest_framework/templatetags/rest_framework.py
+++ b/rest_framework/templatetags/rest_framework.py
@ -119,7 +119,7 @@ def optional_docs_login(request):
@register.simple_tag
-def optional_logout(request, user):
+def optional_logout(request, user, csrf_token):
    """
    Include a logout snippet if REST framework's logout view is in the URLconf.
    """
@ -135,11 +135,16 @@ def optional_logout(request, user):
            <b class="caret"></b>
        </a>
        <ul class="dropdown-menu">
-            <li><a href='{href}?next={next}'>Log out</a></li>
+            <form id="logoutForm" method="post" action="{href}?next={next}">
                <input type="hidden" name="csrfmiddlewaretoken" value="{csrf_token}">
            </form>
            <li>
                <a href="#" onclick='document.getElementById("logoutForm").submit()'>Log out</a>
            </li>
        </ul>
    </li>"""
-    snippet = format_html(snippet, user=escape(user), href=logout_url, next=escape(request.path))
+    snippet = format_html(snippet, user=escape(user), href=logout_url,
-
+                          next=escape(request.path), csrf_token=csrf_token)
    return mark_safe(snippet)