Re: [Django] #15619: Logout link should be protected

[Django]

#15619: Logout link should be protected
-+-
 Reporter:  Alexey Boriskin  |Owner:  René
 Type:   |  Fleschenberg
  Cleanup/optimization   |   Status:  closed
Component:  contrib.auth |  Version:  dev
 Severity:  Normal   |   Resolution:  fixed
 Keywords:   | Triage Stage:  Ready for
 |  checkin
Has patch:  1|  Needs documentation:  0
  Needs tests:  0|  Patch needs improvement:  0
Easy pickings:  0|UI/UX:  0
-+-

Comment (by GitHub ):

 In [changeset:"e2a3a896cf0825a2da2347773c79ba7a341fe392" e2a3a896]:
 {{{
 #!CommitTicketReference repository=""
 revision="e2a3a896cf0825a2da2347773c79ba7a341fe392"
 Refs #15619 -- Removed deprecated annotation about logging out via GET
 requests.

 Follow up to 6c57c08ae52f86df843fccb5a3c1c6c45a10a26f.
 }}}

-- 
Ticket URL: 
Django 
The Web framework for perfectionists with deadlines.

-- 
You received this message because you are subscribed to the Google Groups 
"Django updates" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to django-updates+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/django-updates/0107018a94cfae21-f611b0f6-bdc0-4027-a3de-589c588797c9-00%40eu-central-1.amazonses.com.

Re: [Django] #15619: Logout link should be protected

[Django]

#15619: Logout link should be protected
-+-
 Reporter:  Alexey Boriskin  |Owner:  René
 Type:   |  Fleschenberg
  Cleanup/optimization   |   Status:  closed
Component:  contrib.auth |  Version:  dev
 Severity:  Normal   |   Resolution:  fixed
 Keywords:   | Triage Stage:  Ready for
 |  checkin
Has patch:  1|  Needs documentation:  0
  Needs tests:  0|  Patch needs improvement:  0
Easy pickings:  0|UI/UX:  0
-+-

Comment (by Mariusz Felisiak ):

 In [changeset:"9a01311d204ebf23e615a0802cedcc7b6b373826" 9a01311d]:
 {{{
 #!CommitTicketReference repository=""
 revision="9a01311d204ebf23e615a0802cedcc7b6b373826"
 Refs #15619 -- Removed support for logging out via GET requests.

 Per deprecation timeline.
 }}}

-- 
Ticket URL: 
Django 
The Web framework for perfectionists with deadlines.

-- 
You received this message because you are subscribed to the Google Groups 
"Django updates" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to django-updates+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/django-updates/01070185bf5957f9-25ea078e-cad6-44ec-a9b6-21bcc29802f3-00%40eu-central-1.amazonses.com.

Re: [Django] #15619: Logout link should be protected

[Django]

#15619: Logout link should be protected
-+-
 Reporter:  Alexey Boriskin  |Owner:  René
 Type:   |  Fleschenberg
  Cleanup/optimization   |   Status:  closed
Component:  contrib.auth |  Version:  dev
 Severity:  Normal   |   Resolution:  fixed
 Keywords:   | Triage Stage:  Ready for
 |  checkin
Has patch:  1|  Needs documentation:  0
  Needs tests:  0|  Patch needs improvement:  0
Easy pickings:  0|UI/UX:  0
-+-

Comment (by Michael):

 Something that maybe more likely than XSS logout attack... is if some not
 tech savy user clicks back, or navigates to the logged out url, and sees
 the message "You are logged out", and thinks they are logged out now, and
 its safe to close the browser, but actually since Logout only happens via
 POST now, they are actually still logged in. Yes one can mitagate the
 issue with some javascript on the logged out page, but maybe the average
 developer might miss this point when reading:
 https://docs.djangoproject.com/en/dev/releases/4.1/#log-out-via-get

-- 
Ticket URL: 
Django 
The Web framework for perfectionists with deadlines.

-- 
You received this message because you are subscribed to the Google Groups 
"Django updates" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to django-updates+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/django-updates/010701828c97cc3c-516335e1-466c-44ed-a537-c96aaf662ad7-00%40eu-central-1.amazonses.com.

Re: [Django] #15619: Logout link should be protected

[Django]

#15619: Logout link should be protected
-+-
 Reporter:  Alexey Boriskin  |Owner:  René
 Type:   |  Fleschenberg
  Cleanup/optimization   |   Status:  closed
Component:  contrib.auth |  Version:  dev
 Severity:  Normal   |   Resolution:  fixed
 Keywords:   | Triage Stage:  Ready for
 |  checkin
Has patch:  1|  Needs documentation:  0
  Needs tests:  0|  Patch needs improvement:  0
Easy pickings:  0|UI/UX:  0
-+-
Changes (by Mariusz Felisiak ):

 * status:  assigned => closed
 * resolution:   => fixed


Comment:

 In [changeset:"eb07b5be0ce7c51938ed9b00bae04ebe9a75110c" eb07b5be]:
 {{{
 #!CommitTicketReference repository=""
 revision="eb07b5be0ce7c51938ed9b00bae04ebe9a75110c"
 Fixed #15619 -- Deprecated log out via GET requests.

 Thanks Florian Apolloner for the implementation idea.

 Co-Authored-By: Mariusz Felisiak 
 }}}

-- 
Ticket URL: 
Django 
The Web framework for perfectionists with deadlines.

-- 
You received this message because you are subscribed to the Google Groups 
"Django updates" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to django-updates+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/django-updates/0107017fd434fb1a-710e1806-a6b9-4cdd-835c-cd0d11eae613-00%40eu-central-1.amazonses.com.

Re: [Django] #15619: Logout link should be protected

[Django]

#15619: Logout link should be protected
-+-
 Reporter:  Alexey Boriskin  |Owner:  René
 Type:   |  Fleschenberg
  Cleanup/optimization   |   Status:  assigned
Component:  contrib.auth |  Version:  dev
 Severity:  Normal   |   Resolution:
 Keywords:   | Triage Stage:  Ready for
 |  checkin
Has patch:  1|  Needs documentation:  0
  Needs tests:  0|  Patch needs improvement:  0
Easy pickings:  0|UI/UX:  0
-+-
Changes (by Mariusz Felisiak):

 * needs_docs:  1 => 0
 * type:  Bug => Cleanup/optimization
 * stage:  Accepted => Ready for checkin


-- 
Ticket URL: 
Django 
The Web framework for perfectionists with deadlines.

-- 
You received this message because you are subscribed to the Google Groups 
"Django updates" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to django-updates+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/django-updates/0107017fc0505be7-8b21a6ac-24b5-4030-9fcc-41fbe321d1ce-00%40eu-central-1.amazonses.com.

Re: [Django] #15619: Logout link should be protected

[Django]

#15619: Logout link should be protected
-+-
 Reporter:  Alexey Boriskin  |Owner:  René
 |  Fleschenberg
 Type:  Bug  |   Status:  assigned
Component:  contrib.auth |  Version:  dev
 Severity:  Normal   |   Resolution:
 Keywords:   | Triage Stage:  Accepted
Has patch:  1|  Needs documentation:  1
  Needs tests:  0|  Patch needs improvement:  0
Easy pickings:  0|UI/UX:  0
-+-

Comment (by GitHub ):

 In [changeset:"94d8ed55fa8e181b98f818a1b2805c66943cfeec" 94d8ed55]:
 {{{
 #!CommitTicketReference repository=""
 revision="94d8ed55fa8e181b98f818a1b2805c66943cfeec"
 Refs #15619 -- Logged out with POST requests in admin.
 }}}

-- 
Ticket URL: 
Django 
The Web framework for perfectionists with deadlines.

-- 
You received this message because you are subscribed to the Google Groups 
"Django updates" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to django-updates+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/django-updates/0107017fbccf2083-11f176a8-7c46-4562-a24a-fca08aa08815-00%40eu-central-1.amazonses.com.

Re: [Django] #15619: Logout link should be protected

[Django]

#15619: Logout link should be protected
-+-
 Reporter:  Alexey Boriskin  |Owner:  René
 |  Fleschenberg
 Type:  Bug  |   Status:  assigned
Component:  contrib.auth |  Version:  master
 Severity:  Normal   |   Resolution:
 Keywords:   | Triage Stage:  Accepted
Has patch:  1|  Needs documentation:  1
  Needs tests:  0|  Patch needs improvement:  0
Easy pickings:  0|UI/UX:  0
-+-
Changes (by René Fleschenberg):

 * has_patch:  0 => 1


Comment:

 As a first step, I suggest deprecating logout via GET.

 PR: https://github.com/django/django/pull/12504

-- 
Ticket URL: 
Django 
The Web framework for perfectionists with deadlines.

-- 
You received this message because you are subscribed to the Google Groups 
"Django updates" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to django-updates+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/django-updates/062.c95c875b29384d1317e81de6396493a2%40djangoproject.com.

Re: [Django] #15619: Logout link should be protected

[Django]

#15619: Logout link should be protected
-+-
 Reporter:  Alexey Boriskin  |Owner:  René
 |  Fleschenberg
 Type:  Bug  |   Status:  assigned
Component:  contrib.auth |  Version:  master
 Severity:  Normal   |   Resolution:
 Keywords:   | Triage Stage:  Accepted
Has patch:  0|  Needs documentation:  1
  Needs tests:  0|  Patch needs improvement:  0
Easy pickings:  0|UI/UX:  0
-+-
Changes (by René Fleschenberg):

 * owner:  Ramiro Morales => René Fleschenberg
 * needs_better_patch:  1 => 0
 * has_patch:  1 => 0
 * needs_docs:  0 => 1


-- 
Ticket URL: 
Django 
The Web framework for perfectionists with deadlines.

-- 
You received this message because you are subscribed to the Google Groups 
"Django updates" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to django-updates+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/django-updates/062.dd3d70e7885f82e60a9e01001e57b145%40djangoproject.com.

Re: [Django] #15619: Logout link should be protected

[Django]

#15619: Logout link should be protected
-+-
 Reporter:  Alexey Boriskin  |Owner:  Ramiro
 |  Morales
 Type:  Bug  |   Status:  assigned
Component:  contrib.auth |  Version:  master
 Severity:  Normal   |   Resolution:
 Keywords:   | Triage Stage:  Accepted
Has patch:  1|  Needs documentation:  0
  Needs tests:  0|  Patch needs improvement:  1
Easy pickings:  0|UI/UX:  0
-+-
Changes (by Ramiro Morales):

 * owner:  (none) => Ramiro Morales
 * status:  new => assigned


-- 
Ticket URL: 
Django 
The Web framework for perfectionists with deadlines.

-- 
You received this message because you are subscribed to the Google Groups 
"Django updates" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to django-updates+unsubscr...@googlegroups.com.
To post to this group, send email to django-updates@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/django-updates/062.fa85cbcf042d9a9f4e2bce9a4e5fb310%40djangoproject.com.
For more options, visit https://groups.google.com/d/optout.

Re: [Django] #15619: Logout link should be protected

[Django]

#15619: Logout link should be protected
--+
 Reporter:  void  |Owner:
 Type:  Bug   |   Status:  new
Component:  contrib.auth  |  Version:  master
 Severity:  Normal|   Resolution:
 Keywords:| Triage Stage:  Accepted
Has patch:  1 |  Needs documentation:  0
  Needs tests:  0 |  Patch needs improvement:  1
Easy pickings:  0 |UI/UX:  0
--+
Changes (by timgraham):

 * owner:  ashchristopher =>
 * status:  assigned => new


--
Ticket URL: 
Django 
The Web framework for perfectionists with deadlines.

-- 
You received this message because you are subscribed to the Google Groups 
"Django updates" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to django-updates+unsubscr...@googlegroups.com.
To post to this group, send email to django-updates@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/django-updates/062.c6041b37c40858026c6c95de87b2af8f%40djangoproject.com.
For more options, visit https://groups.google.com/d/optout.

Re: [Django] #15619: Logout link should be protected

[Django]

#15619: Logout link should be protected
--+--
 Reporter:  void  |Owner:  ashchristopher
 Type:  Bug   |   Status:  assigned
Component:  contrib.auth  |  Version:  master
 Severity:  Normal|   Resolution:
 Keywords:| Triage Stage:  Accepted
Has patch:  1 |  Needs documentation:  0
  Needs tests:  0 |  Patch needs improvement:  1
Easy pickings:  0 |UI/UX:  0
--+--

Comment (by collinanderson):

 https://groups.google.com/d/topic/django-developers/MmFzCq8oB5I/discussion

--
Ticket URL: 
Django 
The Web framework for perfectionists with deadlines.

-- 
You received this message because you are subscribed to the Google Groups 
"Django updates" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to django-updates+unsubscr...@googlegroups.com.
To post to this group, send email to django-updates@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/django-updates/062.47ed3a32f3c21c287dce62f7b0f81578%40djangoproject.com.
For more options, visit https://groups.google.com/d/optout.

Re: [Django] #15619: Logout link should be protected

[Django]

#15619: Logout link should be protected
--+--
 Reporter:  void  |Owner:  ashchristopher
 Type:  Bug   |   Status:  assigned
Component:  contrib.auth  |  Version:  master
 Severity:  Normal|   Resolution:
 Keywords:| Triage Stage:  Accepted
Has patch:  1 |  Needs documentation:  0
  Needs tests:  0 |  Patch needs improvement:  1
Easy pickings:  0 |UI/UX:  0
--+--
Changes (by Gwildor):

 * cc: Gwildor (added)


-- 
Ticket URL: 
Django 
The Web framework for perfectionists with deadlines.

-- 
You received this message because you are subscribed to the Google Groups 
"Django updates" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to django-updates+unsubscr...@googlegroups.com.
To post to this group, send email to django-updates@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/django-updates/062.64202e070736454c6f4ccc821d7afa66%40djangoproject.com.
For more options, visit https://groups.google.com/groups/opt_out.

Re: [Django] #15619: Logout link should be protected

[Django]

#15619: Logout link should be protected
--+--
 Reporter:  void  |Owner:  ashchristopher
 Type:  Bug   |   Status:  assigned
Component:  contrib.auth  |  Version:  master
 Severity:  Normal|   Resolution:
 Keywords:| Triage Stage:  Accepted
Has patch:  1 |  Needs documentation:  0
  Needs tests:  0 |  Patch needs improvement:  1
Easy pickings:  0 |UI/UX:  0
--+--

Comment (by vzima):

 Replying to [comment:38 loic84]:
 > The `input` that masquerades as an anchor doesn't render all that well
 across various browsers, also it'll break for people with custom CSS.
 We could also keep the form and style the button as a button.

-- 
Ticket URL: 
Django 
The Web framework for perfectionists with deadlines.

-- 
You received this message because you are subscribed to the Google Groups 
"Django updates" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to django-updates+unsubscr...@googlegroups.com.
To post to this group, send email to django-updates@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/django-updates/062.5e136c605b70d64ccf64345908954b6e%40djangoproject.com.
For more options, visit https://groups.google.com/groups/opt_out.

Re: [Django] #15619: Logout link should be protected

[Django]

#15619: Logout link should be protected
--+--
 Reporter:  void  |Owner:  ashchristopher
 Type:  Bug   |   Status:  assigned
Component:  contrib.auth  |  Version:  master
 Severity:  Normal|   Resolution:
 Keywords:| Triage Stage:  Accepted
Has patch:  1 |  Needs documentation:  0
  Needs tests:  0 |  Patch needs improvement:  1
Easy pickings:  0 |UI/UX:  0
--+--

Comment (by loic84):

 The `input` that masquerades as an anchor doesn't render all that well
 across various browsers, also it'll break for people with custom CSS.

 I would replace it with `` and a
 jQuery click handler along those lines:
 {{{#!javascript
 $('#logout-link').click(function() {
 $(this).parents('form').submit();
 })
 }}}

 People without JS can still logout because the `href` points to the
 intermediary page.

-- 
Ticket URL: 
Django 
The Web framework for perfectionists with deadlines.

-- 
You received this message because you are subscribed to the Google Groups 
"Django updates" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to django-updates+unsubscr...@googlegroups.com.
To post to this group, send email to django-updates@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/django-updates/062.ce86881232044dd17ba4091e80f3e270%40djangoproject.com.
For more options, visit https://groups.google.com/groups/opt_out.

Re: [Django] #15619: Logout link should be protected

[Django]

#15619: Logout link should be protected
--+--
 Reporter:  void  |Owner:  ashchristopher
 Type:  Bug   |   Status:  assigned
Component:  contrib.auth  |  Version:  master
 Severity:  Normal|   Resolution:
 Keywords:| Triage Stage:  Accepted
Has patch:  1 |  Needs documentation:  0
  Needs tests:  0 |  Patch needs improvement:  1
Easy pickings:  0 |UI/UX:  0
--+--
Changes (by vzima):

 * cc: vlastimil@… (added)


-- 
Ticket URL: 
Django 
The Web framework for perfectionists with deadlines.

-- 
You received this message because you are subscribed to the Google Groups 
"Django updates" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to django-updates+unsubscr...@googlegroups.com.
To post to this group, send email to django-updates@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/django-updates/062.ec39188d4dc7660aa3884e34b48f7f5a%40djangoproject.com.
For more options, visit https://groups.google.com/groups/opt_out.

Re: [Django] #15619: Logout link should be protected

[Django]

#15619: Logout link should be protected
--+--
 Reporter:  void  |Owner:  ashchristopher
 Type:  Bug   |   Status:  assigned
Component:  contrib.auth  |  Version:  master
 Severity:  Normal|   Resolution:
 Keywords:| Triage Stage:  Accepted
Has patch:  1 |  Needs documentation:  0
  Needs tests:  0 |  Patch needs improvement:  1
Easy pickings:  0 |UI/UX:  0
--+--
Changes (by vzima):

 * needs_better_patch:  0 => 1


Comment:

 I'd rather note this here, in case it gets lost on github: KJ didn't fix
 the logout links in password change templates.

-- 
Ticket URL: 
Django 
The Web framework for perfectionists with deadlines.

-- 
You received this message because you are subscribed to the Google Groups 
"Django updates" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to django-updates+unsubscr...@googlegroups.com.
To post to this group, send email to django-updates@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/django-updates/062.088d041305a21ca8252ddfbae9b6171d%40djangoproject.com.
For more options, visit https://groups.google.com/groups/opt_out.

Re: [Django] #15619: Logout link should be protected

[Django]

#15619: Logout link should be protected
--+--
 Reporter:  void  |Owner:  ashchristopher
 Type:  Bug   |   Status:  assigned
Component:  contrib.auth  |  Version:  master
 Severity:  Normal|   Resolution:
 Keywords:| Triage Stage:  Accepted
Has patch:  1 |  Needs documentation:  0
  Needs tests:  0 |  Patch needs improvement:  0
Easy pickings:  0 |UI/UX:  0
--+--

Comment (by vzima):

 For a few days I have the branch on work, but KJ was a bit faster :) I
 provide my pull as well, I found there few things differ, though I
 replaced logout link with form as well.

 https://github.com/django/django/pull/1963

-- 
Ticket URL: 
Django 
The Web framework for perfectionists with deadlines.

-- 
You received this message because you are subscribed to the Google Groups 
"Django updates" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to django-updates+unsubscr...@googlegroups.com.
To post to this group, send email to django-updates@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/django-updates/062.80c8ebf8667f8107ef969c3e180c33fa%40djangoproject.com.
For more options, visit https://groups.google.com/groups/opt_out.

Re: [Django] #15619: Logout link should be protected

[Django]

#15619: Logout link should be protected
--+--
 Reporter:  void  |Owner:  ashchristopher
 Type:  Bug   |   Status:  assigned
Component:  contrib.auth  |  Version:  master
 Severity:  Normal|   Resolution:
 Keywords:| Triage Stage:  Accepted
Has patch:  1 |  Needs documentation:  0
  Needs tests:  0 |  Patch needs improvement:  0
Easy pickings:  0 |UI/UX:  0
--+--
Changes (by unaizalakain):

 * cc: unai@… (added)


Comment:

 Patch LGTM

-- 
Ticket URL: 
Django 
The Web framework for perfectionists with deadlines.

-- 
You received this message because you are subscribed to the Google Groups 
"Django updates" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to django-updates+unsubscr...@googlegroups.com.
To post to this group, send email to django-updates@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/django-updates/062.e7bd100fe7fd9fa0f9400542af9c8035%40djangoproject.com.
For more options, visit https://groups.google.com/groups/opt_out.

Re: [Django] #15619: Logout link should be protected

[Django]

#15619: Logout link should be protected
--+--
 Reporter:  void  |Owner:  ashchristopher
 Type:  Bug   |   Status:  assigned
Component:  contrib.auth  |  Version:  master
 Severity:  Normal|   Resolution:
 Keywords:| Triage Stage:  Accepted
Has patch:  1 |  Needs documentation:  0
  Needs tests:  0 |  Patch needs improvement:  0
Easy pickings:  0 |UI/UX:  0
--+--
Changes (by KJ):

 * needs_better_patch:  1 => 0
 * needs_docs:  1 => 0


Comment:

 I’ve added the documentation and made a few changes to vzima’s patch:
 https://github.com/django/django/pull/1934

-- 
Ticket URL: 
Django 
The Web framework for perfectionists with deadlines.

-- 
You received this message because you are subscribed to the Google Groups 
"Django updates" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to django-updates+unsubscr...@googlegroups.com.
To post to this group, send email to django-updates@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/django-updates/062.35093cfc8278ed287b61c20884a05189%40djangoproject.com.
For more options, visit https://groups.google.com/groups/opt_out.

Re: [Django] #15619: Logout link should be protected

[Django]

#15619: Logout link should be protected
--+--
 Reporter:  void  |Owner:  ashchristopher
 Type:  Bug   |   Status:  assigned
Component:  contrib.auth  |  Version:  master
 Severity:  Normal|   Resolution:
 Keywords:| Triage Stage:  Accepted
Has patch:  1 |  Needs documentation:  1
  Needs tests:  0 |  Patch needs improvement:  1
Easy pickings:  0 |UI/UX:  0
--+--
Changes (by erikr):

 * cc: eromijn@… (added)
 * needs_docs:  0 => 1
 * component:  contrib.admin => contrib.auth


Comment:

 The patch no longer applies cleanly and an update for the contrib.auth
 documentation is not included. A change like this also belongs in the
 release notes, as it causes a backwards incompatibility.

-- 
Ticket URL: 
Django 
The Web framework for perfectionists with deadlines.

-- 
You received this message because you are subscribed to the Google Groups 
"Django updates" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to django-updates+unsubscr...@googlegroups.com.
To post to this group, send email to django-updates@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/django-updates/062.7d158796ad0358bed5a1608ced3cdf0a%40djangoproject.com.
For more options, visit https://groups.google.com/groups/opt_out.

Re: [Django] #15619: Logout link should be protected

[Django]

#15619: Logout link should be protected
---+--
 Reporter:  void   |Owner:  ashchristopher
 Type:  Bug|   Status:  assigned
Component:  contrib.admin  |  Version:  master
 Severity:  Normal |   Resolution:
 Keywords: | Triage Stage:  Accepted
Has patch:  1  |  Needs documentation:  0
  Needs tests:  0  |  Patch needs improvement:  1
Easy pickings:  0  |UI/UX:  0
---+--
Changes (by csrf.django@…):

 * cc: csrf.django@… (added)


-- 
Ticket URL: 
Django 
The Web framework for perfectionists with deadlines.

-- 
You received this message because you are subscribed to the Google Groups 
"Django updates" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to django-updates+unsubscr...@googlegroups.com.
To post to this group, send email to django-updates@googlegroups.com.
For more options, visit https://groups.google.com/groups/opt_out.

Re: [Django] #15619: Logout link should be protected

[Django]

#15619: Logout link should be protected
---+--
 Reporter:  void   |Owner:  ashchristopher
 Type:  Bug|   Status:  assigned
Component:  contrib.admin  |  Version:  master
 Severity:  Normal |   Resolution:
 Keywords: | Triage Stage:  Accepted
Has patch:  1  |  Needs documentation:  0
  Needs tests:  0  |  Patch needs improvement:  1
Easy pickings:  0  |UI/UX:  0
---+--

Comment (by vzima):

 Replying to [comment:29 lukeplant]:
 > Replying to [comment:27 vzima]:
 >
 > > It is the same problem in Django as is in Trac. It would be very easy
 to add a lot fake images to whatever site powered by Django, some are
 listed at Django homepage. Or Django Project admin itself :)
 >
 > Please stop arguing with us when we already agree with you. See comment
 number 4, which is after mine.
 My main point is that this ticket should be closed as soon as possible
 because the bug has security consequences. The bug is opened 2 years and
 it does not seem its patch will be included into 1.5 either. The last
 patch probably requires no update except comment:18 and then it got stuck.

 Anyway, based on last patch from ashchristopher I created a github branch
 https://github.com/vzima/django/tree/15619-protected-logout with updated
 patch which considers comment:18.
 Also I moved the base code from admin logout to auth logout so logouts are
 protected also outside of admin application.

 Feedback welcome, so we can finally close this issue.

-- 
Ticket URL: 
Django 
The Web framework for perfectionists with deadlines.

-- 
You received this message because you are subscribed to the Google Groups 
"Django updates" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to django-updates+unsubscr...@googlegroups.com.
To post to this group, send email to django-updates@googlegroups.com.
For more options, visit https://groups.google.com/groups/opt_out.

Re: [Django] #15619: Logout link should be protected

[Django]

#15619: Logout link should be protected
---+--
 Reporter:  void   |Owner:  ashchristopher
 Type:  Bug|   Status:  assigned
Component:  contrib.admin  |  Version:  master
 Severity:  Normal |   Resolution:
 Keywords: | Triage Stage:  Accepted
Has patch:  1  |  Needs documentation:  0
  Needs tests:  0  |  Patch needs improvement:  1
Easy pickings:  0  |UI/UX:  0
---+--

Comment (by lukeplant):

 Replying to [comment:27 vzima]:

 > It is the same problem in Django as is in Trac. It would be very easy to
 add a lot fake images to whatever site powered by Django, some are listed
 at Django homepage. Or Django Project admin itself :)

 Please stop arguing with us when we already agree with you. See comment
 number 4, which is after mine.

-- 
Ticket URL: 
Django 
The Web framework for perfectionists with deadlines.

-- 
You received this message because you are subscribed to the Google Groups 
"Django updates" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to django-updates+unsubscr...@googlegroups.com.
To post to this group, send email to django-updates@googlegroups.com.
For more options, visit https://groups.google.com/groups/opt_out.

Re: [Django] #15619: Logout link should be protected

[Django]

#15619: Logout link should be protected
---+--
 Reporter:  void   |Owner:  ashchristopher
 Type:  Bug|   Status:  assigned
Component:  contrib.admin  |  Version:  master
 Severity:  Normal |   Resolution:
 Keywords: | Triage Stage:  Accepted
Has patch:  1  |  Needs documentation:  0
  Needs tests:  0  |  Patch needs improvement:  1
Easy pickings:  0  |UI/UX:  0
---+--
Changes (by raymond.penners@…):

 * cc: raymond.penners@… (added)


-- 
Ticket URL: 
Django 
The Web framework for perfectionists with deadlines.

-- 
You received this message because you are subscribed to the Google Groups 
"Django updates" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to django-updates+unsubscr...@googlegroups.com.
To post to this group, send email to django-updates@googlegroups.com.
For more options, visit https://groups.google.com/groups/opt_out.

Re: [Django] #15619: Logout link should be protected

[Django]

#15619: Logout link should be protected
---+--
 Reporter:  void   |Owner:  ashchristopher
 Type:  Bug|   Status:  assigned
Component:  contrib.admin  |  Version:  master
 Severity:  Normal |   Resolution:
 Keywords: | Triage Stage:  Accepted
Has patch:  1  |  Needs documentation:  0
  Needs tests:  0  |  Patch needs improvement:  1
Easy pickings:  0  |UI/UX:  0
---+--

Comment (by vzima):

 Replying to [comment:26 aaugustin]:
 > Congratulations, you've proved you like wasting our time.
 >
 > Don't be surprised if your comments are ignored from now on.
 >
 > By the way, this isn't even an proof-of-concept against Django, it's
 against Trac.
 It is the same problem in Django as is in Trac. It would be very easy to
 add a lot fake images to whatever site powered by Django, some are listed
 at Django homepage. Or Django Project admin itself :)

 {{{
 [[Image(https://www.djangoproject.com/admin/logout/)]]
 }}}

-- 
Ticket URL: 
Django 
The Web framework for perfectionists with deadlines.

-- 
You received this message because you are subscribed to the Google Groups 
"Django updates" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to django-updates+unsubscr...@googlegroups.com.
To post to this group, send email to django-updates@googlegroups.com.
For more options, visit https://groups.google.com/groups/opt_out.

Re: [Django] #15619: Logout link should be protected

[Django]

#15619: Logout link should be protected
---+--
 Reporter:  void   |Owner:  ashchristopher
 Type:  Bug|   Status:  assigned
Component:  contrib.admin  |  Version:  master
 Severity:  Normal |   Resolution:
 Keywords: | Triage Stage:  Accepted
Has patch:  1  |  Needs documentation:  0
  Needs tests:  0  |  Patch needs improvement:  1
Easy pickings:  0  |UI/UX:  0
---+--

Comment (by aaugustin):

 Congratulations, you've proved you like wasting our time.

 Don't be surprised if your comments are ignored from now on.

 By the way, this isn't even an proof-of-concept against Django, it's
 against Trac.

-- 
Ticket URL: 
Django 
The Web framework for perfectionists with deadlines.

-- 
You received this message because you are subscribed to the Google Groups 
"Django updates" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to django-updates+unsubscr...@googlegroups.com.
To post to this group, send email to django-updates@googlegroups.com.
For more options, visit https://groups.google.com/groups/opt_out.

Re: [Django] #15619: Logout link should be protected

[Django]

#15619: Logout link should be protected
---+--
 Reporter:  void   |Owner:  ashchristopher
 Type:  Bug|   Status:  assigned
Component:  contrib.admin  |  Version:  master
 Severity:  Normal |   Resolution:
 Keywords: | Triage Stage:  Accepted
Has patch:  1  |  Needs documentation:  0
  Needs tests:  0  |  Patch needs improvement:  1
Easy pickings:  0  |UI/UX:  0
---+--

Comment (by vzima):

 Replying to [comment:3 lukeplant]:
 > The point Russell was making was that 'SHOULD NOT' is not the same as
 'MUST NOT'. In practice, while being logged out by a 3rd party might be a
 nuisance, in general the attackers will gain extremely little except ill-
 will, and therefore there is little motivation to exploit this, and fairly
 trivial consequences if they do.
 Really?

 [[Image(https://code.djangoproject.com/logout)]]

-- 
Ticket URL: 
Django 
The Web framework for perfectionists with deadlines.

-- 
You received this message because you are subscribed to the Google Groups 
"Django updates" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to django-updates+unsubscr...@googlegroups.com.
To post to this group, send email to django-updates@googlegroups.com.
For more options, visit https://groups.google.com/groups/opt_out.

Re: [Django] #15619: Logout link should be protected

[Django]

#15619: Logout link should be protected
---+--
 Reporter:  void   |Owner:  ashchristopher
 Type:  Bug|   Status:  assigned
Component:  contrib.admin  |  Version:  master
 Severity:  Normal |   Resolution:
 Keywords: | Triage Stage:  Accepted
Has patch:  1  |  Needs documentation:  0
  Needs tests:  0  |  Patch needs improvement:  1
Easy pickings:  0  |UI/UX:  0
---+--
Changes (by vzima):

 * cc: vlastimil.zima@… (added)


-- 
Ticket URL: 
Django 
The Web framework for perfectionists with deadlines.

-- 
You received this message because you are subscribed to the Google Groups 
"Django updates" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to django-updates+unsubscr...@googlegroups.com.
To post to this group, send email to django-updates@googlegroups.com.
For more options, visit https://groups.google.com/groups/opt_out.

Re: [Django] #15619: Logout link should be protected

[Django]

#15619: Logout link should be protected
---+--
 Reporter:  void   |Owner:  ashchristopher
 Type:  Bug|   Status:  assigned
Component:  contrib.admin  |  Version:  master
 Severity:  Normal |   Resolution:
 Keywords: | Triage Stage:  Accepted
Has patch:  1  |  Needs documentation:  0
  Needs tests:  0  |  Patch needs improvement:  1
Easy pickings:  0  |UI/UX:  0
---+--

Comment (by aaugustin):

 #7989 was a duplicate.

-- 
Ticket URL: 
Django 
The Web framework for perfectionists with deadlines.

-- 
You received this message because you are subscribed to the Google Groups 
"Django updates" group.
To post to this group, send email to django-updates@googlegroups.com.
To unsubscribe from this group, send email to 
django-updates+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/groups/opt_out.

Re: [Django] #15619: Logout link should be protected

[Django]

#15619: Logout link should be protected
---+--
 Reporter:  void   |Owner:  ashchristopher
 Type:  Bug|   Status:  assigned
Component:  contrib.admin  |  Version:  master
 Severity:  Normal |   Resolution:
 Keywords: | Triage Stage:  Accepted
Has patch:  1  |  Needs documentation:  0
  Needs tests:  0  |  Patch needs improvement:  1
Easy pickings:  0  |UI/UX:  0
---+--

Comment (by ashchristopher):

 Talking to julienphalip on #django-dev - we are going to look at getting
 ModelAdmin.media() to return only the js files needed for a given view.
 This may require changing ModelAdmin.media() to be a method that takes
 arguments, rather than staying as a property.

-- 
Ticket URL: 
Django 
The Web framework for perfectionists with deadlines.

-- 
You received this message because you are subscribed to the Google Groups 
"Django updates" group.
To post to this group, send email to django-updates@googlegroups.com.
To unsubscribe from this group, send email to 
django-updates+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/groups/opt_out.

Re: [Django] #15619: Logout link should be protected

[Django]

#15619: Logout link should be protected
---+--
 Reporter:  void   |Owner:  ashchristopher
 Type:  Bug|   Status:  assigned
Component:  contrib.admin  |  Version:  master
 Severity:  Normal |   Resolution:
 Keywords: | Triage Stage:  Accepted
Has patch:  1  |  Needs documentation:  0
  Needs tests:  0  |  Patch needs improvement:  1
Easy pickings:  0  |UI/UX:  0
---+--

Comment (by ashchristopher):

 Beginning work on this patch again.

-- 
Ticket URL: 
Django 
The Web framework for perfectionists with deadlines.

-- 
You received this message because you are subscribed to the Google Groups 
"Django updates" group.
To post to this group, send email to django-updates@googlegroups.com.
To unsubscribe from this group, send email to 
django-updates+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/groups/opt_out.

Re: [Django] #15619: Logout link should be protected

[Django]

#15619: Logout link should be protected
---+--
 Reporter:  void   |Owner:  ashchristopher
 Type:  Bug|   Status:  assigned
Component:  contrib.admin  |  Version:  SVN
 Severity:  Normal |   Resolution:
 Keywords: | Triage Stage:  Accepted
Has patch:  1  |  Needs documentation:  0
  Needs tests:  0  |  Patch needs improvement:  1
Easy pickings:  0  |UI/UX:  0
---+--
Changes (by anonymous):

 * needs_better_patch:  0 => 1


Comment:

 setting patch needs improvement per comment 18

-- 
Ticket URL: 
Django 
The Web framework for perfectionists with deadlines.

-- 
You received this message because you are subscribed to the Google Groups 
"Django updates" group.
To post to this group, send email to django-updates@googlegroups.com.
To unsubscribe from this group, send email to 
django-updates+unsubscr...@googlegroups.com.
For more options, visit this group at 
http://groups.google.com/group/django-updates?hl=en.

Re: [Django] #15619: Logout link should be protected

[Django]

#15619: Logout link should be protected
+
   Reporter:  void  |  Owner:  ashchristopher
   Type:  Bug   | Status:  assigned
  Milestone:  1.4   |  Component:  contrib.admin
Version:  SVN   |   Severity:  Normal
 Resolution:|   Keywords:
   Triage Stage:  Accepted  |  Has patch:  1
Needs documentation:  0 |Needs tests:  0
Patch needs improvement:  0 |  Easy pickings:  0
  UI/UX:  0 |
+

Comment (by ashchristopher):

 As per julienphalip's feedback on irc:

 "it'd be good to test the actual login status after using both the POST
 and GET methods. It seems the patch only looks at what template is being
 used."

 Suggested using:
 self.assertTrue(SESSION_KEY not in self.client.session)

-- 
Ticket URL: 
Django 
The Web framework for perfectionists with deadlines.

-- 
You received this message because you are subscribed to the Google Groups 
"Django updates" group.
To post to this group, send email to django-updates@googlegroups.com.
To unsubscribe from this group, send email to 
django-updates+unsubscr...@googlegroups.com.
For more options, visit this group at 
http://groups.google.com/group/django-updates?hl=en.

Re: [Django] #15619: Logout link should be protected

[Django]

#15619: Logout link should be protected
+
   Reporter:  void  |  Owner:  ashchristopher
   Type:  Bug   | Status:  assigned
  Milestone:  1.4   |  Component:  contrib.admin
Version:  SVN   |   Severity:  Normal
 Resolution:|   Keywords:
   Triage Stage:  Accepted  |  Has patch:  1
Needs documentation:  0 |Needs tests:  0
Patch needs improvement:  0 |  Easy pickings:  0
  UI/UX:  0 |
+
Changes (by ashchristopher):

 * needs_better_patch:  1 => 0
 * needs_tests:  1 => 0
 * needs_docs:  1 => 0


-- 
Ticket URL: 
Django 
The Web framework for perfectionists with deadlines.

-- 
You received this message because you are subscribed to the Google Groups 
"Django updates" group.
To post to this group, send email to django-updates@googlegroups.com.
To unsubscribe from this group, send email to 
django-updates+unsubscr...@googlegroups.com.
For more options, visit this group at 
http://groups.google.com/group/django-updates?hl=en.

Re: [Django] #15619: Logout link should be protected

[Django]

#15619: Logout link should be protected
+
   Reporter:  void  |  Owner:  ashchristopher
   Type:  Bug   | Status:  assigned
  Milestone:  1.4   |  Component:  contrib.admin
Version:  SVN   |   Severity:  Normal
 Resolution:|   Keywords:
   Triage Stage:  Accepted  |  Has patch:  1
Needs documentation:  1 |Needs tests:  1
Patch needs improvement:  1 |  Easy pickings:  0
  UI/UX:  0 |
+

Comment (by ashchristopher):

 Regression tests fail using this patch. Attempting to fix regression
 tests.

-- 
Ticket URL: 
Django 
The Web framework for perfectionists with deadlines.

-- 
You received this message because you are subscribed to the Google Groups 
"Django updates" group.
To post to this group, send email to django-updates@googlegroups.com.
To unsubscribe from this group, send email to 
django-updates+unsubscr...@googlegroups.com.
For more options, visit this group at 
http://groups.google.com/group/django-updates?hl=en.

Re: [Django] #15619: Logout link should be protected

[Django]

#15619: Logout link should be protected
+
   Reporter:  void  |  Owner:  ashchristopher
   Type:  Bug   | Status:  assigned
  Milestone:  1.4   |  Component:  contrib.admin
Version:  SVN   |   Severity:  Normal
 Resolution:|   Keywords:
   Triage Stage:  Accepted  |  Has patch:  1
Needs documentation:  1 |Needs tests:  1
Patch needs improvement:  1 |  Easy pickings:  0
  UI/UX:  0 |
+
Changes (by PaulM):

 * needs_better_patch:  0 => 1
 * needs_tests:  0 => 1
 * needs_docs:  0 => 1


Comment:

 It's more usual to say

 {{{
 if request.method = "POST"
 }}}

 The "are you sure you want to log out" isn't translated.

 It also needs tests and documentation.

 Otherwise, the method looks pretty good to me. I'd like someone who's more
 familiar with the admin coding conventions than I to make the final call,
 but it's about ready. Thanks for keeping at this :)

-- 
Ticket URL: 
Django 
The Web framework for perfectionists with deadlines.

-- 
You received this message because you are subscribed to the Google Groups 
"Django updates" group.
To post to this group, send email to django-updates@googlegroups.com.
To unsubscribe from this group, send email to 
django-updates+unsubscr...@googlegroups.com.
For more options, visit this group at 
http://groups.google.com/group/django-updates?hl=en.

Re: [Django] #15619: Logout link should be protected

[Django]

#15619: Logout link should be protected
+
   Reporter:  void  |  Owner:  ashchristopher
   Type:  Bug   | Status:  assigned
  Milestone:  1.4   |  Component:  contrib.admin
Version:  SVN   |   Severity:  Normal
 Resolution:|   Keywords:
   Triage Stage:  Accepted  |  Has patch:  1
Needs documentation:  0 |Needs tests:  0
Patch needs improvement:  0 |  Easy pickings:  0
  UI/UX:  0 |
+

Comment (by PaulM):

 Tobias seems to have hit it on the head. That sounds like the right
 solution to me too.

-- 
Ticket URL: 
Django 
The Web framework for perfectionists with deadlines.

-- 
You received this message because you are subscribed to the Google Groups 
"Django updates" group.
To post to this group, send email to django-updates@googlegroups.com.
To unsubscribe from this group, send email to 
django-updates+unsubscr...@googlegroups.com.
For more options, visit this group at 
http://groups.google.com/group/django-updates?hl=en.

Re: [Django] #15619: Logout link should be protected

[Django]

#15619: Logout link should be protected
+
   Reporter:  void  |  Owner:  ashchristopher
   Type:  Bug   | Status:  assigned
  Milestone:  1.4   |  Component:  contrib.admin
Version:  SVN   |   Severity:  Normal
 Resolution:|   Keywords:
   Triage Stage:  Accepted  |  Has patch:  1
Needs documentation:  0 |Needs tests:  0
Patch needs improvement:  0 |  Easy pickings:  0
  UI/UX:  0 |
+

Comment (by tobias):

 1) Why POST the form over AJAX?  Can't you just put a logout form on all
 admin pages that the browser submits when the logout link is clicked?

 2) The logout link should still point to the logout confirmation page
 unless the click event is co-opted by !JavaScript and converted into a
 POST.  This way the confirmation page will still come into play if someone
 has !JavaScript disabled.

-- 
Ticket URL: 
Django 
The Web framework for perfectionists with deadlines.

-- 
You received this message because you are subscribed to the Google Groups 
"Django updates" group.
To post to this group, send email to django-updates@googlegroups.com.
To unsubscribe from this group, send email to 
django-updates+unsubscr...@googlegroups.com.
For more options, visit this group at 
http://groups.google.com/group/django-updates?hl=en.

Re: [Django] #15619: Logout link should be protected

[Django]

#15619: Logout link should be protected
+
   Reporter:  void  |  Owner:  ashchristopher
   Type:  Bug   | Status:  assigned
  Milestone:  1.4   |  Component:  contrib.admin
Version:  SVN   |   Severity:  Normal
 Resolution:|   Keywords:
   Triage Stage:  Accepted  |  Has patch:  1
Needs documentation:  0 |Needs tests:  0
Patch needs improvement:  0 |  Easy pickings:  0
  UI/UX:  0 |
+
Changes (by ashchristopher):

 * has_patch:  0 => 1


Comment:

 Added patch but still needs work - looking for feedback.

 [https://code.djangoproject.com/attachment/ticket/15619/ticket15619.diff]

-- 
Ticket URL: 
Django 
The Web framework for perfectionists with deadlines.

-- 
You received this message because you are subscribed to the Google Groups 
"Django updates" group.
To post to this group, send email to django-updates@googlegroups.com.
To unsubscribe from this group, send email to 
django-updates+unsubscr...@googlegroups.com.
For more options, visit this group at 
http://groups.google.com/group/django-updates?hl=en.

Re: [Django] #15619: Logout link should be protected

[Django]

#15619: Logout link should be protected
+
   Reporter:  void  |  Owner:  ashchristopher
   Type:  Bug   | Status:  assigned
  Milestone:  1.4   |  Component:  contrib.admin
Version:  SVN   |   Severity:  Normal
 Resolution:|   Keywords:
   Triage Stage:  Accepted  |  Has patch:  0
Needs documentation:  0 |Needs tests:  0
Patch needs improvement:  0 |  Easy pickings:  0
  UI/UX:  0 |
+
Changes (by ashchristopher):

 * status:  new => assigned


Comment:

 Have this more or less working however, need a csrf token when doing the
 logout in javascript. Not sure the best way to go about this. Make a call
 to the url to get the csrf back then use that to submit? Not sure - seems
 like a wonky idea.

-- 
Ticket URL: 
Django 
The Web framework for perfectionists with deadlines.

-- 
You received this message because you are subscribed to the Google Groups 
"Django updates" group.
To post to this group, send email to django-updates@googlegroups.com.
To unsubscribe from this group, send email to 
django-updates+unsubscr...@googlegroups.com.
For more options, visit this group at 
http://groups.google.com/group/django-updates?hl=en.

Re: [Django] #15619: Logout link should be protected

[Django]

#15619: Logout link should be protected
+
   Reporter:  void  |  Owner:  ashchristopher
   Type:  Bug   | Status:  new
  Milestone:  1.4   |  Component:  contrib.admin
Version:  SVN   |   Severity:  Normal
 Resolution:|   Keywords:
   Triage Stage:  Accepted  |  Has patch:  0
Needs documentation:  0 |Needs tests:  0
Patch needs improvement:  0 |  Easy pickings:  0
  UI/UX:  0 |
+
Changes (by ashchristopher):

 * status:  reopened => new
 * owner:  nobody => ashchristopher
 * ui_ux:   => 0


-- 
Ticket URL: 
Django 
The Web framework for perfectionists with deadlines.

-- 
You received this message because you are subscribed to the Google Groups 
"Django updates" group.
To post to this group, send email to django-updates@googlegroups.com.
To unsubscribe from this group, send email to 
django-updates+unsubscr...@googlegroups.com.
For more options, visit this group at 
http://groups.google.com/group/django-updates?hl=en.

Re: [Django] #15619: Logout link should be protected

[Django]

#15619: Logout link should be protected
+---
   Reporter:  void  |  Owner:  nobody
   Type:  Bug   | Status:  reopened
  Milestone:  1.4   |  Component:  contrib.admin
Version:  SVN   |   Severity:  Normal
 Resolution:|   Keywords:
   Triage Stage:  Accepted  |  Has patch:  0
Needs documentation:  0 |Needs tests:  0
Patch needs improvement:  0 |  Easy pickings:  0
+---

Comment (by lukeplant):

 In the admin we can also have some jQuery (or other javascript) code that
 will change the logout link so that it does a POST to the logout view by
 submitting a (dynamically generated) POST form. That would be better than
 a pass through page because it requires just one HTTP request.

-- 
Ticket URL: 
Django 
The Web framework for perfectionists with deadlines.

-- 
You received this message because you are subscribed to the Google Groups 
"Django updates" group.
To post to this group, send email to django-updates@googlegroups.com.
To unsubscribe from this group, send email to 
django-updates+unsubscr...@googlegroups.com.
For more options, visit this group at 
http://groups.google.com/group/django-updates?hl=en.

Re: [Django] #15619: Logout link should be protected

[Django]

#15619: Logout link should be protected
+---
   Reporter:  void  |  Owner:  nobody
   Type:  Bug   | Status:  reopened
  Milestone:  1.4   |  Component:  contrib.admin
Version:  SVN   |   Severity:  Normal
 Resolution:|   Keywords:
   Triage Stage:  Accepted  |  Has patch:  0
Needs documentation:  0 |Needs tests:  0
Patch needs improvement:  0 |  Easy pickings:  0
+---

Comment (by jezdez):

 Sounds like a plan +1

-- 
Ticket URL: 
Django 
The Web framework for perfectionists with deadlines.

-- 
You received this message because you are subscribed to the Google Groups 
"Django updates" group.
To post to this group, send email to django-updates@googlegroups.com.
To unsubscribe from this group, send email to 
django-updates+unsubscr...@googlegroups.com.
For more options, visit this group at 
http://groups.google.com/group/django-updates?hl=en.

Re: [Django] #15619: Logout link should be protected

[Django]

#15619: Logout link should be protected
+---
   Reporter:  void  |  Owner:  nobody
   Type:  Bug   | Status:  reopened
  Milestone:  1.4   |  Component:  contrib.admin
Version:  SVN   |   Severity:  Normal
 Resolution:|   Keywords:
   Triage Stage:  Accepted  |  Has patch:  0
Needs documentation:  0 |Needs tests:  0
Patch needs improvement:  0 |  Easy pickings:  0
+---
Changes (by SmileyChris):

 * easy:   => 0
 * stage:  Design decision needed => Accepted


Comment:

 Sure, let's have the admin use a `logout` view which logs out if
 `request.method == 'POST'` otherwise shows an intermediary confirmation
 page.

 `Site.login` wraps the `django.contrib.auth.views` `logout` view and
 changing that would be backwards incompatible, so it'll have to be a new
 view (and it may as well live in `auth` so it can be used in other
 situations too).

-- 
Ticket URL: 
Django 
The Web framework for perfectionists with deadlines.

-- 
You received this message because you are subscribed to the Google Groups 
"Django updates" group.
To post to this group, send email to django-updates@googlegroups.com.
To unsubscribe from this group, send email to 
django-updates+unsubscr...@googlegroups.com.
For more options, visit this group at 
http://groups.google.com/group/django-updates?hl=en.

Re: [Django] #15619: Logout link should be protected (was: Logout link should be a form)

[Django]

#15619: Logout link should be protected
--+--
   Reporter:  void|Owner:  nobody
 Status:  reopened|Milestone:  1.4
  Component:  django.contrib.admin|  Version:  SVN
 Resolution:  | Keywords:
   Triage Stage:  Design decision needed  |Has patch:  0
Needs documentation:  0   |  Needs tests:  0
Patch needs improvement:  0   |
--+--
Changes (by PaulM):

 * status:  closed => reopened
 * milestone:   => 1.4
 * stage:  Unreviewed => Design decision needed
 * resolution:  wontfix =>


Comment:

 On the recommendation of Alex Gaynor, I'm reopening this ticket.

 The issue is that this presents a really tempting avenue for DoS type
 attacks. The attack (which I have, through great force of will, refrained
 from illustrating in this post) is to simply embed the non-side-effect-
 free url as an image. The link obviously does not display a picture, but
 the browser does retrieve the content, forcing the user to log out. This
 makes removal of offensive content particularly obnoxious for
 administrators.

 Fixing this could involve requiring a form, or (since using a link to log
 out is convenient) a nonce of some sort. Some forums implement the
 functionality with a pass-through page which submits a form via
 javascript.

-- 
Ticket URL: 
Django 
The Web framework for perfectionists with deadlines.

-- 
You received this message because you are subscribed to the Google Groups 
"Django updates" group.
To post to this group, send email to django-updates@googlegroups.com.
To unsubscribe from this group, send email to 
django-updates+unsubscr...@googlegroups.com.
For more options, visit this group at 
http://groups.google.com/group/django-updates?hl=en.