Re: Deprecating logout via GET

2020-03-05 Thread Florian Apolloner
UX wise the intermediary page is annoying. So if we can just provide some docs and upgrade notes I'd be fine with just dropping the get part. On Thursday, March 5, 2020 at 5:40:25 PM UTC+1, René Fleschenberg wrote: > Hi, > > On 04.03.20 12:13, Sam Willis wrote: > > Why not have the logout link

Re: Deprecating logout via GET

2020-03-05 Thread René Fleschenberg
Hi, On 04.03.20 12:13, Sam Willis wrote: Why not have the logout link take the user to a page asking them to confirm the logout, and have it as a POSTed form button from there? That adds a helpful confirmation page, removes the difficulties of styling a button as a link constantly (or changin

Re: Deprecating logout via GET

2020-03-04 Thread אורי
Users don't need to confirm a logout. Confirmation is usually when deleting a profile or making something irreversible. Logging out is reversible and therefore doesn't need to be confirmed. Just clicking "logout" should log the user out - whether a regular user or an admin. אורי u...@speedy.net

Re: Deprecating logout via GET

2020-03-04 Thread Adam Johnson
If your suggestion is limited to the admin, I think it would be fine, but it's not necessary. But I don't think there is a compelling reason - there aren't any difficulties with the CSS since Rene has already written it. If your suggestion is for all logout views, there's no way to enforce it, and

Re: Deprecating logout via GET

2020-03-04 Thread Sam Willis
Why not have the logout link take the user to a page asking them to confirm the logout, and have it as a POSTed form button from there? That adds a helpful confirmation page, removes the difficulties of styling a button as a link constantly (or changing the header design to a button). One downs

Re: Deprecating logout via GET

2020-03-02 Thread René Fleschenberg
Hi, On 3/2/20 9:34 PM, Tim Chase wrote: > On 2020-03-02 18:35, Anna Sidwell wrote: >> Is there any particular reason why it shouldn't look like a button >> instead of a link? > > The concern isn't how it looks (with CSS you can make a button look > like a link, or make a link look like a button).

Re: Deprecating logout via GET

2020-03-02 Thread Tim Chase
On 2020-03-02 18:35, Anna Sidwell wrote: > Is there any particular reason why it shouldn't look like a button > instead of a link? The concern isn't how it looks (with CSS you can make a button look like a link, or make a link look like a button). An does the logout action via a GET (and is the

Re: Deprecating logout via GET

2020-03-02 Thread Anna Sidwell
Is there any particular reason why it shouldn't look like a button instead of a link? Anna On Mon, 2 Mar 2020, at 08:27, Aymeric Augustin wrote: > Hello, > > Le dim. 1 mars 2020 à 11:04, Adam Johnson a écrit : >>> Yes, but then hovering on the link doesn't show the logout URL at the >>> botto

Re: Deprecating logout via GET

2020-03-02 Thread Aymeric Augustin
Hello, Le dim. 1 mars 2020 à 11:04, Adam Johnson a écrit : > Yes, but then hovering on the link doesn't show the logout URL at the >> bottom of the screen. > > > I don't think this is a concern. > If it's just the link preview, yes, I think we can make the trade off. The more general concern h

Re: Deprecating logout via GET

2020-03-01 Thread Adam Johnson
> > Yes, but then hovering on the link doesn't show the logout URL at the > bottom of the screen. I don't think this is a concern. ‪On Sat, 29 Feb 2020 at 18:07, ‫אורי‬‎ wrote:‬ > Yes, but then hovering on the link doesn't show the logout URL at the > bottom of the screen. > אורי > u...@speedy

Re: Deprecating logout via GET

2020-02-29 Thread אורי
Yes, but then hovering on the link doesn't show the logout URL at the bottom of the screen. אורי u...@speedy.net On Sat, Feb 29, 2020 at 6:01 PM Florian Apolloner wrote: > I found an example on stackoverflow on how we could do this in the admin > without JS (with a bit of styling): https://stac

Re: Deprecating logout via GET

2020-02-29 Thread René Fleschenberg
Hi, On 2/29/20 5:01 PM, Florian Apolloner wrote: > I found an example on stackoverflow on how we could do this in the admin > without JS (with a bit of styling): https://stackoverflow.com/a/33880971 > -- I personally would prefer it if we would not need javascript for a > fundamental functionality

Re: Deprecating logout via GET

2020-02-29 Thread Florian Apolloner
I found an example on stackoverflow on how we could do this in the admin without JS (with a bit of styling): https://stackoverflow.com/a/33880971 -- I personally would prefer it if we would not need javascript for a fundamental functionality like this. On Saturday, February 29, 2020 at 9:26:23

Re: Deprecating logout via GET

2020-02-29 Thread Adam Johnson
Google (=Gmail): GET, but with a security token in the URL Facebook: POST Instagram: POST Twitter: POST ‪On Sat, 29 Feb 2020 at 08:08, ‫אורי‬‎ wrote:‬ > I'm interested: Google, Gmail, Facebook, Instagram, Twitter: How do they > use logout? POST or GET? > אורי > u...@speedy.net > > > On Thu, Feb

Re: Deprecating logout via GET

2020-02-29 Thread אורי
I'm interested: Google, Gmail, Facebook, Instagram, Twitter: How do they use logout? POST or GET? אורי u...@speedy.net On Thu, Feb 27, 2020 at 7:10 PM René Fleschenberg wrote: > Hi everyone, > > there seems to be consensus that logging the client out on GET requests > to the logout view is not

Re: Deprecating logout via GET

2020-02-28 Thread René Fleschenberg
Hi, On 2/28/20 5:04 PM, 'Maher, Brian' via Django developers (Contributions to Django itself) wrote: > Are any current browsers dumb enough to prefetch logout links these > days? I would assume that most prefetch algorithms are smart enough to > not pre-fetch these. We not only have to consider b

Re: Deprecating logout via GET

2020-02-28 Thread Florian Apolloner
On Friday, February 28, 2020 at 5:08:07 PM UTC+1, Maher, Brian wrote: > > Are any current browsers dumb enough to prefetch logout links these days? > I would assume that most prefetch algorithms are smart enough to not > pre-fetch these. > Not sure what heuristics browsers use. I have also s

Re: Deprecating logout via GET

2020-02-28 Thread 'Maher, Brian' via Django developers (Contributions to Django itself)
m" Subject: Re: Deprecating logout via GET Wow and first ticket referenced in one of those conversations was 12 years ago: https://code.djangoproject.com/ticket/7989<https://eur03.safelinks.protection.outlook.com/?url=https%3A%2F%2Fcode.djangoproject.com%2Fticket%2F7989&data=01%7C0

Re: Deprecating logout via GET

2020-02-28 Thread Adam Johnson
Wow and first ticket referenced in one of those conversations was 12 years ago: https://code.djangoproject.com/ticket/7989 Seems like a of a no-brainer at this point with general support from other core devs in the past :) On Fri, 28 Feb 2020 at 00:10, René Fleschenberg wrote: > Hi, > > On 2/28

Re: Deprecating logout via GET

2020-02-27 Thread René Fleschenberg
Hi, On 2/28/20 12:12 AM, Adam Johnson wrote: >  > The reason this was not changed yet is backwards compatibility. > > Do you have any mailing list / ticket links as reference? Sorry, I forgot to link them here. The main ticket seems to be https://code.djangoproject.com/ticket/15619. Mailing lis

Re: Deprecating logout via GET

2020-02-27 Thread Adam Johnson
> The reason this was not changed yet is backwards compatibility. Do you have any mailing list / ticket links as reference? It should be noted that the popular allauth already doesn’t allow logout by GET (by default). Personally I’m in favour. On Thu, 27 Feb 2020 at 17:10, René Fleschenberg

Deprecating logout via GET

2020-02-27 Thread René Fleschenberg
Hi everyone, there seems to be consensus that logging the client out on GET requests to the logout view is not great. Clients may try to prefetch links (this came up on IRC today). Attackers might annoy users by logging them out with embedded links to the logout URL. The reason this was not chang