Re: Status of #15619: logout via POST, but not GET

2014-12-04 Thread Collin Anderson 
I was just thinking about this. I agree that a GET causing logout is wrong, 
and we need to not break things and I agree we need to keep the original 
view untouched so we don't break anything. _maybe_ deprecate it. The admin 
could begin using the new view right away.

On Wednesday, December 3, 2014 5:02:42 PM UTC-5, Tim Chase wrote:
>
> I've had a couple cases where browser link pre-fetching triggered 
> an unintended logout from my Django app (I haven't fully tracked down 
> the exact combination of triggering conditions, but I suspect they 
> similar to Israel Brewster's CherryPy issue mentioned on 
> comp.lang.python [1]) and was surprised that Django suffered the same 
> issue. 
>
> Researching, I found https://code.djangoproject.com/ticket/15619 
> but see that it was last modified ~10mo ago, having been opened ~4yrs 
> ago.  The current (development HEAD from git) versions of 
>
>   django/contrib/auth/views.py:logout() 
>   django/contrib/auth/__init__.py:logout() 
>
> still don't seem to contain any checks to ensure logouts can only 
> happen via POST rather than GET requests. 
>
> Is there any movement forward on resolving this so my browser 
> doesn't inconveniently boot me from the app when I don't intend to 
> log out? 
>
> -tkc 
>
> [1] 
> https://mail.python.org/pipermail/python-list/2014-December/682106.html 
>
>
>
>
>
>
> . 
>

-- 
You received this message because you are subscribed to the Google Groups 
"Django developers  (Contributions to Django itself)" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to django-developers+unsubscr...@googlegroups.com.
To post to this group, send email to django-developers@googlegroups.com.
Visit this group at http://groups.google.com/group/django-developers.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/django-developers/cbd1d995-6a3b-4ce2-b31d-cf533ac65758%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: Status of #15619: logout via POST, but not GET

2014-12-03 Thread Marc Tamlyn 
>From a brief look, the changes in the pull request do not appear to
consider backwards compatibility at all, which would be important.

The argument that it's ok because it would now just show a confirmation
page is insufficient as if someone had built a confirmation page there
would now be two. Also it requires every user to ensure such a confirmation
page fits the look of their website.

A possible solution would be to introduce a new view (logout_confirm) which
describes the new behaviour and throw deprecation warnings on the old
logout view.

In my opinion this change is not worth the backwards incompatibility.

On 4 December 2014 at 00:25, Tim Graham  wrote:

> I think you're thinking of https://code.djangoproject.com/ticket/17209.
> The latest patch appears to allow logout via GET, but even it enforced
> POST, there are still client-side (template) updates required to turn the
> logout links into form submissions so I think it should be considered an
> independent task (I may be missing your reasoning).
>
> On Wednesday, December 3, 2014 6:48:48 PM UTC-5, Curtis Maloney wrote:
>>
>> Wasn't there a PR to turn all the auth views to CBV?
>>
>> That would implicitly enforce the behaviour to POST-only, I would hope.
>>
>> --
>> Curtis
>>
>>
>> On 4 December 2014 at 09:52, Tim Graham  wrote:
>>
>>> Hi Tim,
>>>
>>> There's an open pull request
>>> , but it was opened over a
>>> year ago and has gone stale. Maybe you'd like to review and update it.
>>>
>>> You can use the patch review checklist:
>>>
>>> https://docs.djangoproject.com/en/dev/internals/
>>> contributing/writing-code/submitting-patches/#patch-review-checklist
>>>
>>> If you are happy with the patch after that, please mark the ticket as
>>> "ready for checkin" for a final review from a core developer.
>>>
>>> Thanks!
>>> Tim
>>>
>>>
>>> On Wednesday, December 3, 2014 5:02:42 PM UTC-5, Tim Chase wrote:

 I've had a couple cases where browser link pre-fetching triggered
 an unintended logout from my Django app (I haven't fully tracked down
 the exact combination of triggering conditions, but I suspect they
 similar to Israel Brewster's CherryPy issue mentioned on
 comp.lang.python [1]) and was surprised that Django suffered the same
 issue.

 Researching, I found https://code.djangoproject.com/ticket/15619
 but see that it was last modified ~10mo ago, having been opened ~4yrs
 ago.  The current (development HEAD from git) versions of

   django/contrib/auth/views.py:logout()
   django/contrib/auth/__init__.py:logout()

 still don't seem to contain any checks to ensure logouts can only
 happen via POST rather than GET requests.

 Is there any movement forward on resolving this so my browser
 doesn't inconveniently boot me from the app when I don't intend to
 log out?

 -tkc

 [1]
 https://mail.python.org/pipermail/python-list/2014-December/682106.html






 .

>>>  --
>>> You received this message because you are subscribed to the Google
>>> Groups "Django developers (Contributions to Django itself)" group.
>>> To unsubscribe from this group and stop receiving emails from it, send
>>> an email to django-develop...@googlegroups.com.
>>> To post to this group, send email to django-d...@googlegroups.com.
>>> Visit this group at http://groups.google.com/group/django-developers.
>>> To view this discussion on the web visit https://groups.google.com/d/
>>> msgid/django-developers/c888627a-d1da-4755-ad77-
>>> 055b7837c2e2%40googlegroups.com
>>> 
>>> .
>>>
>>> For more options, visit https://groups.google.com/d/optout.
>>>
>>
>>  --
> You received this message because you are subscribed to the Google Groups
> "Django developers (Contributions to Django itself)" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to django-developers+unsubscr...@googlegroups.com.
> To post to this group, send email to django-developers@googlegroups.com.
> Visit this group at http://groups.google.com/group/django-developers.
> To view this discussion on the web visit
> https://groups.google.com/d/msgid/django-developers/03ade6e9-457c-4d17-a4bf-542bfed0ef4c%40googlegroups.com
> 
> .
>
> For more options, visit https://groups.google.com/d/optout.
>

-- 
You received this message because you are subscribed to the Google Groups 
"Django developers  (Contributions to Django itself)" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to django-developers+unsubscr...@googlegroups.com.
To post to this group, send

Re: Status of #15619: logout via POST, but not GET

2014-12-03 Thread Tim Graham 
I think you're thinking of https://code.djangoproject.com/ticket/17209. The 
latest patch appears to allow logout via GET, but even it enforced POST, 
there are still client-side (template) updates required to turn the logout 
links into form submissions so I think it should be considered an 
independent task (I may be missing your reasoning).

On Wednesday, December 3, 2014 6:48:48 PM UTC-5, Curtis Maloney wrote:
>
> Wasn't there a PR to turn all the auth views to CBV?
>
> That would implicitly enforce the behaviour to POST-only, I would hope.
>
> --
> Curtis
>
>
> On 4 December 2014 at 09:52, Tim Graham  
> wrote:
>
>> Hi Tim,
>>
>> There's an open pull request , 
>> but it was opened over a year ago and has gone stale. Maybe you'd like to 
>> review and update it.
>>
>> You can use the patch review checklist:
>>
>>
>> https://docs.djangoproject.com/en/dev/internals/contributing/writing-code/submitting-patches/#patch-review-checklist
>>
>> If you are happy with the patch after that, please mark the ticket as 
>> "ready for checkin" for a final review from a core developer.
>>
>> Thanks!
>> Tim
>>
>>
>> On Wednesday, December 3, 2014 5:02:42 PM UTC-5, Tim Chase wrote:
>>>
>>> I've had a couple cases where browser link pre-fetching triggered 
>>> an unintended logout from my Django app (I haven't fully tracked down 
>>> the exact combination of triggering conditions, but I suspect they 
>>> similar to Israel Brewster's CherryPy issue mentioned on 
>>> comp.lang.python [1]) and was surprised that Django suffered the same 
>>> issue. 
>>>
>>> Researching, I found https://code.djangoproject.com/ticket/15619 
>>> but see that it was last modified ~10mo ago, having been opened ~4yrs 
>>> ago.  The current (development HEAD from git) versions of 
>>>
>>>   django/contrib/auth/views.py:logout() 
>>>   django/contrib/auth/__init__.py:logout() 
>>>
>>> still don't seem to contain any checks to ensure logouts can only 
>>> happen via POST rather than GET requests. 
>>>
>>> Is there any movement forward on resolving this so my browser 
>>> doesn't inconveniently boot me from the app when I don't intend to 
>>> log out? 
>>>
>>> -tkc 
>>>
>>> [1] 
>>> https://mail.python.org/pipermail/python-list/2014-December/682106.html 
>>>
>>>
>>>
>>>
>>>
>>>
>>> . 
>>>
>>  -- 
>> You received this message because you are subscribed to the Google Groups 
>> "Django developers (Contributions to Django itself)" group.
>> To unsubscribe from this group and stop receiving emails from it, send an 
>> email to django-develop...@googlegroups.com .
>> To post to this group, send email to django-d...@googlegroups.com 
>> .
>> Visit this group at http://groups.google.com/group/django-developers.
>> To view this discussion on the web visit 
>> https://groups.google.com/d/msgid/django-developers/c888627a-d1da-4755-ad77-055b7837c2e2%40googlegroups.com
>>  
>> 
>> .
>>
>> For more options, visit https://groups.google.com/d/optout.
>>
>
>

-- 
You received this message because you are subscribed to the Google Groups 
"Django developers  (Contributions to Django itself)" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to django-developers+unsubscr...@googlegroups.com.
To post to this group, send email to django-developers@googlegroups.com.
Visit this group at http://groups.google.com/group/django-developers.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/django-developers/03ade6e9-457c-4d17-a4bf-542bfed0ef4c%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: Status of #15619: logout via POST, but not GET

2014-12-03 Thread Curtis Maloney 
Wasn't there a PR to turn all the auth views to CBV?

That would implicitly enforce the behaviour to POST-only, I would hope.

--
Curtis


On 4 December 2014 at 09:52, Tim Graham  wrote:

> Hi Tim,
>
> There's an open pull request ,
> but it was opened over a year ago and has gone stale. Maybe you'd like to
> review and update it.
>
> You can use the patch review checklist:
>
>
> https://docs.djangoproject.com/en/dev/internals/contributing/writing-code/submitting-patches/#patch-review-checklist
>
> If you are happy with the patch after that, please mark the ticket as
> "ready for checkin" for a final review from a core developer.
>
> Thanks!
> Tim
>
>
> On Wednesday, December 3, 2014 5:02:42 PM UTC-5, Tim Chase wrote:
>>
>> I've had a couple cases where browser link pre-fetching triggered
>> an unintended logout from my Django app (I haven't fully tracked down
>> the exact combination of triggering conditions, but I suspect they
>> similar to Israel Brewster's CherryPy issue mentioned on
>> comp.lang.python [1]) and was surprised that Django suffered the same
>> issue.
>>
>> Researching, I found https://code.djangoproject.com/ticket/15619
>> but see that it was last modified ~10mo ago, having been opened ~4yrs
>> ago.  The current (development HEAD from git) versions of
>>
>>   django/contrib/auth/views.py:logout()
>>   django/contrib/auth/__init__.py:logout()
>>
>> still don't seem to contain any checks to ensure logouts can only
>> happen via POST rather than GET requests.
>>
>> Is there any movement forward on resolving this so my browser
>> doesn't inconveniently boot me from the app when I don't intend to
>> log out?
>>
>> -tkc
>>
>> [1]
>> https://mail.python.org/pipermail/python-list/2014-December/682106.html
>>
>>
>>
>>
>>
>>
>> .
>>
>  --
> You received this message because you are subscribed to the Google Groups
> "Django developers (Contributions to Django itself)" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to django-developers+unsubscr...@googlegroups.com.
> To post to this group, send email to django-developers@googlegroups.com.
> Visit this group at http://groups.google.com/group/django-developers.
> To view this discussion on the web visit
> https://groups.google.com/d/msgid/django-developers/c888627a-d1da-4755-ad77-055b7837c2e2%40googlegroups.com
> 
> .
>
> For more options, visit https://groups.google.com/d/optout.
>

-- 
You received this message because you are subscribed to the Google Groups 
"Django developers  (Contributions to Django itself)" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to django-developers+unsubscr...@googlegroups.com.
To post to this group, send email to django-developers@googlegroups.com.
Visit this group at http://groups.google.com/group/django-developers.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/django-developers/CAG_XiSApWNAuS1xJF-LWPZU5%3DO6UaVihB4pNh4iZ9oMfs-LHqg%40mail.gmail.com.
For more options, visit https://groups.google.com/d/optout.

Re: Status of #15619: logout via POST, but not GET

2014-12-03 Thread Tim Graham 
Hi Tim,

There's an open pull request , 
but it was opened over a year ago and has gone stale. Maybe you'd like to 
review and update it.

You can use the patch review checklist:

https://docs.djangoproject.com/en/dev/internals/contributing/writing-code/submitting-patches/#patch-review-checklist

If you are happy with the patch after that, please mark the ticket as 
"ready for checkin" for a final review from a core developer.

Thanks!
Tim

On Wednesday, December 3, 2014 5:02:42 PM UTC-5, Tim Chase wrote:
>
> I've had a couple cases where browser link pre-fetching triggered 
> an unintended logout from my Django app (I haven't fully tracked down 
> the exact combination of triggering conditions, but I suspect they 
> similar to Israel Brewster's CherryPy issue mentioned on 
> comp.lang.python [1]) and was surprised that Django suffered the same 
> issue. 
>
> Researching, I found https://code.djangoproject.com/ticket/15619 
> but see that it was last modified ~10mo ago, having been opened ~4yrs 
> ago.  The current (development HEAD from git) versions of 
>
>   django/contrib/auth/views.py:logout() 
>   django/contrib/auth/__init__.py:logout() 
>
> still don't seem to contain any checks to ensure logouts can only 
> happen via POST rather than GET requests. 
>
> Is there any movement forward on resolving this so my browser 
> doesn't inconveniently boot me from the app when I don't intend to 
> log out? 
>
> -tkc 
>
> [1] 
> https://mail.python.org/pipermail/python-list/2014-December/682106.html 
>
>
>
>
>
>
> . 
>

-- 
You received this message because you are subscribed to the Google Groups 
"Django developers  (Contributions to Django itself)" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to django-developers+unsubscr...@googlegroups.com.
To post to this group, send email to django-developers@googlegroups.com.
Visit this group at http://groups.google.com/group/django-developers.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/django-developers/c888627a-d1da-4755-ad77-055b7837c2e2%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Status of #15619: logout via POST, but not GET

2014-12-03 Thread Tim Chase 
I've had a couple cases where browser link pre-fetching triggered
an unintended logout from my Django app (I haven't fully tracked down
the exact combination of triggering conditions, but I suspect they
similar to Israel Brewster's CherryPy issue mentioned on
comp.lang.python [1]) and was surprised that Django suffered the same
issue.

Researching, I found https://code.djangoproject.com/ticket/15619
but see that it was last modified ~10mo ago, having been opened ~4yrs
ago.  The current (development HEAD from git) versions of

  django/contrib/auth/views.py:logout()
  django/contrib/auth/__init__.py:logout()

still don't seem to contain any checks to ensure logouts can only
happen via POST rather than GET requests.

Is there any movement forward on resolving this so my browser
doesn't inconveniently boot me from the app when I don't intend to
log out?

-tkc

[1]
https://mail.python.org/pipermail/python-list/2014-December/682106.html






.

-- 
You received this message because you are subscribed to the Google Groups 
"Django developers  (Contributions to Django itself)" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to django-developers+unsubscr...@googlegroups.com.
To post to this group, send email to django-developers@googlegroups.com.
Visit this group at http://groups.google.com/group/django-developers.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/django-developers/20141203160459.1ee6d9f8%40bigbox.christie.dr.
For more options, visit https://groups.google.com/d/optout.