Use POST method instead of GET to perform logout in browsable API #9208
Conversation
| <input type="hidden" name="csrfmiddlewaretoken" value="{csrf_token}"> | ||
| </form> | ||
| <li> | ||
| <a href="#" onclick='document.getElementById("logoutForm").submit()'>Log out</a> |
There was a problem hiding this comment.
not sure, but should this href use #?
There was a problem hiding this comment.
Since it immediately redirects the user to next, it should not be a problem?
Alternatives:
-
We could remove the href. In that case, we would need to add inline css so that cursor would be pointer. Also we'll probably need to add
role="button"for improved semantics for screen readers. -
We could set
nextas href. Although I'm not sure how it would behave. We may need to callpreventDefault.
I'm refraining from using <button> here since it would require a bit of CSS juggling.
There was a problem hiding this comment.
It's a pretty standard pattern I think, seems okay to me.
| </ul> | ||
| </li>""" | ||
| snippet = format_html(snippet, user=escape(user), href=logout_url, next=escape(request.path)) | ||
|
|
||
| snippet = format_html(snippet, user=escape(user), href=logout_url, |
There was a problem hiding this comment.
is it possible to update the tests a bit to verify it is working and not creating any regression?
There was a problem hiding this comment.
It appears that using POST for logout has been available from the start (for the view we are using at least). So as long as we get the form action and CSRF right, it should be fine.
I added a test that specifically checks for the form declaration. If you had something other in your mind, let me know.
Description
Fixes #9206