Browse Source

Change logout to use POST instead of GET

Using GET for logging out isn't a very good idea, and can result in
external sites being able to log users out by including things like
<img src="https://tildes.net/logout">

This changes it to require a POST, and uses a form with its submit
button re-styled to look like the other text links in the menu.
merge-requests/55/head
Deimos 6 years ago
parent
commit
325376891c
  1. 12
      tildes/scss/modules/_nav.scss
  2. 4
      tildes/scss/modules/_sidebar.scss
  3. 7
      tildes/tildes/templates/macros/user_menu.jinja2
  4. 4
      tildes/tildes/views/login.py

12
tildes/scss/modules/_nav.scss

@ -30,4 +30,16 @@
text-decoration: underline; text-decoration: underline;
} }
} }
.nav-item .btn-link {
height: auto;
font-size: 0.8rem;
font-weight: normal;
padding: 0.2rem 0.4rem;
border: 0;
&:hover {
text-decoration: underline;
}
}
} }

4
tildes/scss/modules/_sidebar.scss

@ -23,6 +23,10 @@
font-weight: normal; font-weight: normal;
} }
} }
.nav .btn-link {
width: auto;
}
} }
.sidebar-controls { .sidebar-controls {

7
tildes/tildes/templates/macros/user_menu.jinja2

@ -71,7 +71,12 @@
Settings Settings
</a> </a>
</li> </li>
<li class="nav-item"><a href="/logout">Log out</a></li>
<li class="nav-item">
<form action="/logout" method="post">
<input type="hidden" name="csrf_token" value="{{ get_csrf_token() }}">
<button type="submit" class="btn btn-link">Log out</button>
</form>
</li>
</ul> </ul>
</ul> </ul>
{% endmacro %} {% endmacro %}

4
tildes/tildes/views/login.py

@ -124,8 +124,8 @@ def post_login_two_factor(request: Request, code: str) -> Response:
raise HTTPUnauthorized(body="Invalid code, please try again.") raise HTTPUnauthorized(body="Invalid code, please try again.")
@view_config(route_name="logout")
def get_logout(request: Request) -> HTTPFound:
@view_config(route_name="logout", request_method="POST")
def post_logout(request: Request) -> HTTPFound:
"""Process a log out request.""" """Process a log out request."""
request.session.invalidate() request.session.invalidate()
request.db_session.add(Log(LogEventType.USER_LOG_OUT, request)) request.db_session.add(Log(LogEventType.USER_LOG_OUT, request))

Loading…
Cancel
Save