Re: Unable to log out of postgresql.org
| От | Jack Bonatakis |
|---|---|
| Тема | Re: Unable to log out of postgresql.org |
| Дата | |
| Msg-id | 8448e79d-3359-4c83-9913-0812df7b5a8a@app.fastmail.com обсуждение исходный текст |
| Ответ на | Re: Unable to log out of postgresql.org (Magnus Hagander <magnus@hagander.net>) |
| Ответы |
Re: Unable to log out of postgresql.org
|
| Список | pgsql-www |
On Fri, Mar 20, 2026, at 2:26 PM, Magnus Hagander wrote:
Nice spot.However, this fix won't work. Putting a csrf token on every page is incompatible with the caching system we have in place.One way to fix it would be to just allow logout GET again (I think this got broken on a django upgrade where it wasn't tested). But maybe the better way to fix it would be to have the logout link go to a page with a POST form on it, and have that form do what the GET link does now. I assume the GET is blocked because otherwise someone could trick a user, or redirect them, to the logout URL and they get logged out. I'm not sure how realistic or how big of a problem that is, but getting rid of it would not hurt...Would you be interested in working on a patch for that as well?//Magnus
Ah interesting. Yeah, it looks to be a change new with Django 5. I'll have to take a closer look at the existing caching system, but yes I'd be happy to work on an alternative to my patch above. Your proposal seems reasonable and might be the way to go.
Jack
В списке pgsql-www по дате отправления: