Skip to content

Use POST method instead of GET to perform logout in browsable API#9208

Merged
auvipy merged 2 commits intoencode:masterfrom
realsuayip:add_opt_logout_form
Feb 19, 2024
Merged

Use POST method instead of GET to perform logout in browsable API#9208
auvipy merged 2 commits intoencode:masterfrom
realsuayip:add_opt_logout_form

Conversation

@realsuayip
Copy link
Copy Markdown
Contributor

@realsuayip realsuayip commented Jan 3, 2024

Description

Fixes #9206

@auvipy auvipy self-requested a review January 4, 2024 13:58
auvipy
auvipy reviewed Jan 4, 2024
View reviewed changes
Comment thread rest_framework/templatetags/rest_framework.py
<input type="hidden" name="csrfmiddlewaretoken" value="{csrf_token}">
</form>
<li>
<a href="#" onclick='document.getElementById("logoutForm").submit()'>Log out</a>
Copy link
Copy Markdown
Collaborator

@auvipy auvipy Jan 4, 2024

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

not sure, but should this href use #?

Copy link
Copy Markdown
Contributor Author

@realsuayip realsuayip Jan 4, 2024

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Since it immediately redirects the user to next, it should not be a problem?

Alternatives:

  • We could remove the href. In that case, we would need to add inline css so that cursor would be pointer. Also we'll probably need to add role="button" for improved semantics for screen readers.

  • We could set next as href. Although I'm not sure how it would behave. We may need to call preventDefault.

I'm refraining from using <button> here since it would require a bit of CSS juggling.

Copy link
Copy Markdown
Contributor

@lovelydinosaur lovelydinosaur Jan 4, 2024

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

It's a pretty standard pattern I think, seems okay to me.

@lovelydinosaur lovelydinosaur mentioned this pull request Jan 4, 2024
Merged
@auvipy auvipy added this to the 3.15 milestone Jan 11, 2024
auvipy
auvipy requested changes Feb 16, 2024
View reviewed changes
Comment thread rest_framework/templatetags/rest_framework.py
</li>"""
snippet = format_html(snippet, user=escape(user), href=logout_url, next=escape(request.path))

snippet = format_html(snippet, user=escape(user), href=logout_url,
Copy link
Copy Markdown
Collaborator

@auvipy auvipy Feb 16, 2024

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

is it possible to update the tests a bit to verify it is working and not creating any regression?

Copy link
Copy Markdown
Contributor Author

@realsuayip realsuayip Feb 19, 2024

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

It appears that using POST for logout has been available from the start (for the view we are using at least). So as long as we get the form action and CSRF right, it should be fine.

I added a test that specifically checks for the form declaration. If you had something other in your mind, let me know.

@auvipy auvipy merged commit 2ef77b1 into encode:master Feb 19, 2024
@gaurovsoni gaurovsoni mentioned this pull request Mar 5, 2024
Closed
@JaeHyuckSa JaeHyuckSa mentioned this pull request Apr 16, 2024
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@lovelydinosaur lovelydinosaur lovelydinosaur left review comments

@auvipy auvipy auvipy approved these changes

+1 more reviewer

@ulgens ulgens ulgens approved these changes

Reviewers whose approvals may not affect merge requirements

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

3.15

Development

Successfully merging this pull request may close these issues.

rest_framework.urls doesn't work with LogoutView in Django 5.0

4 participants

@realsuayip @ulgens @lovelydinosaur @auvipy