make logout a POST operation

2025-03-25 22:57:12 +00:00 · 2025-03-12 00:45:19 +01:00 · 2025-03-12 00:45:19 +01:00 · 5c5755d4a6
commit 5c5755d4a6
parent aaa8c4ba67
3 changed files with 30 additions and 7 deletions
--- a/core/static/core/header.scss
+++ b/core/static/core/header.scss
@ -251,21 +251,31 @@ $hovered-red-text-color: #ff4d4d;
              justify-content: flex-start;
            }

-            >a {
+            a, button {
+              font-size: 100%;
+              margin: 0;
              text-align: right;
              color: $text-color;

              &:hover {
                color: $hovered-text-color;
              }
+            }

-              &:last-child {
-                color: $red-text-color;
+            form#logout-form {
+              margin: 0;
+              display: inline;
+            }
+            #logout-form button {
+              color: $red-text-color;

-                &:hover {
-                  color: $hovered-red-text-color;
-                }
+              &:hover {
+                color: $hovered-red-text-color;
              }
+              background: none;
+              border: none;
+              cursor: pointer;
+              padding: 0;
            }
          }
        }
--- a/core/templates/core/base/header.jinja
+++ b/core/templates/core/base/header.jinja
@ -59,7 +59,10 @@
            </div>
            <div class="links">
              <a href="{{ url('core:user_tools') }}">{% trans %}Tools{% endtrans %}</a>
-              <a href="{{ url('core:logout') }}">{% trans %}Logout{% endtrans %}</a>
+              <form id="logout-form" method="post" action="{{ url("core:logout") }}">
+                {% csrf_token %}
+                <button type="submit">{% trans %}Logout{% endtrans %}</button>
+              </form>
            </div>
          </div>
          <a
--- a/core/tests/test_user.py
+++ b/core/tests/test_user.py
@ -2,6 +2,7 @@ from datetime import timedelta

 import pytest
 from django.conf import settings
+from django.contrib import auth
 from django.core.management import call_command
 from django.test import Client, TestCase
 from django.urls import reverse
@ -219,3 +220,12 @@ def test_user_update_groups(client: Client):
        manageable_groups[1],
        *hidden_groups[:3],
    }
+
+
+@pytest.mark.django_db
+def test_logout(client: Client):
+    user = baker.make(User)
+    client.force_login(user)
+    res = client.post(reverse("core:logout"))
+    assertRedirects(res, reverse("core:login"))
+    assert auth.get_user(client).is_anonymous