I was just thinking about this. I agree that a GET causing logout is wrong, and we need to not break things and I agree we need to keep the original view untouched so we don't break anything. _maybe_ deprecate it. The admin could begin using the new view right away.
On Wednesday, December 3, 2014 5:02:42 PM UTC-5, Tim Chase wrote: > > I've had a couple cases where browser link pre-fetching triggered > an unintended logout from my Django app (I haven't fully tracked down > the exact combination of triggering conditions, but I suspect they > similar to Israel Brewster's CherryPy issue mentioned on > comp.lang.python [1]) and was surprised that Django suffered the same > issue. > > Researching, I found https://code.djangoproject.com/ticket/15619 > but see that it was last modified ~10mo ago, having been opened ~4yrs > ago. The current (development HEAD from git) versions of > > django/contrib/auth/views.py:logout() > django/contrib/auth/__init__.py:logout() > > still don't seem to contain any checks to ensure logouts can only > happen via POST rather than GET requests. > > Is there any movement forward on resolving this so my browser > doesn't inconveniently boot me from the app when I don't intend to > log out? > > -tkc > > [1] > https://mail.python.org/pipermail/python-list/2014-December/682106.html > > > > > > > . > -- You received this message because you are subscribed to the Google Groups "Django developers (Contributions to Django itself)" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To post to this group, send email to [email protected]. Visit this group at http://groups.google.com/group/django-developers. To view this discussion on the web visit https://groups.google.com/d/msgid/django-developers/cbd1d995-6a3b-4ce2-b31d-cf533ac65758%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
