From 325376891cd336d3f4ab38f5f023e981f98ff428 Mon Sep 17 00:00:00 2001 From: Deimos Date: Sun, 10 Feb 2019 18:06:16 -0700 Subject: [PATCH] Change logout to use POST instead of GET Using GET for logging out isn't a very good idea, and can result in external sites being able to log users out by including things like This changes it to require a POST, and uses a form with its submit button re-styled to look like the other text links in the menu. --- tildes/scss/modules/_nav.scss | 12 ++++++++++++ tildes/scss/modules/_sidebar.scss | 4 ++++ tildes/tildes/templates/macros/user_menu.jinja2 | 7 ++++++- tildes/tildes/views/login.py | 4 ++-- 4 files changed, 24 insertions(+), 3 deletions(-) diff --git a/tildes/scss/modules/_nav.scss b/tildes/scss/modules/_nav.scss index ab9fa09..5d5f5b7 100644 --- a/tildes/scss/modules/_nav.scss +++ b/tildes/scss/modules/_nav.scss @@ -30,4 +30,16 @@ text-decoration: underline; } } + + .nav-item .btn-link { + height: auto; + font-size: 0.8rem; + font-weight: normal; + padding: 0.2rem 0.4rem; + border: 0; + + &:hover { + text-decoration: underline; + } + } } diff --git a/tildes/scss/modules/_sidebar.scss b/tildes/scss/modules/_sidebar.scss index 42bd747..2b56b75 100644 --- a/tildes/scss/modules/_sidebar.scss +++ b/tildes/scss/modules/_sidebar.scss @@ -23,6 +23,10 @@ font-weight: normal; } } + + .nav .btn-link { + width: auto; + } } .sidebar-controls { diff --git a/tildes/tildes/templates/macros/user_menu.jinja2 b/tildes/tildes/templates/macros/user_menu.jinja2 index a7c6e55..ed1c96e 100644 --- a/tildes/tildes/templates/macros/user_menu.jinja2 +++ b/tildes/tildes/templates/macros/user_menu.jinja2 @@ -71,7 +71,12 @@ Settings - + {% endmacro %} diff --git a/tildes/tildes/views/login.py b/tildes/tildes/views/login.py index 9b63992..47c721b 100644 --- a/tildes/tildes/views/login.py +++ b/tildes/tildes/views/login.py @@ -124,8 +124,8 @@ def post_login_two_factor(request: Request, code: str) -> Response: raise HTTPUnauthorized(body="Invalid code, please try again.") -@view_config(route_name="logout") -def get_logout(request: Request) -> HTTPFound: +@view_config(route_name="logout", request_method="POST") +def post_logout(request: Request) -> HTTPFound: """Process a log out request.""" request.session.invalidate() request.db_session.add(Log(LogEventType.USER_LOG_OUT, request))