UX wise the intermediary page is annoying. So if we can just provide some
docs and upgrade notes I'd be fine with just dropping the get part.
On Thursday, March 5, 2020 at 5:40:25 PM UTC+1, René Fleschenberg wrote:
> Hi,
>
> On 04.03.20 12:13, Sam Willis wrote:
> > Why not have the logout link
Hi,
On 04.03.20 12:13, Sam Willis wrote:
Why not have the logout link take the user to a page asking them to confirm the
logout, and have it as a POSTed form button from there?
That adds a helpful confirmation page, removes the difficulties of styling a
button as a link constantly (or changin
Users don't need to confirm a logout. Confirmation is usually when deleting
a profile or making something irreversible. Logging out is reversible and
therefore doesn't need to be confirmed. Just clicking "logout" should log
the user out - whether a regular user or an admin.
אורי
u...@speedy.net
If your suggestion is limited to the admin, I think it would be fine, but
it's not necessary. But I don't think there is a compelling reason - there
aren't any difficulties with the CSS since Rene has already written it.
If your suggestion is for all logout views, there's no way to enforce it,
and
Why not have the logout link take the user to a page asking them to confirm the
logout, and have it as a POSTed form button from there?
That adds a helpful confirmation page, removes the difficulties of styling a
button as a link constantly (or changing the header design to a button).
One downs
Hi,
On 3/2/20 9:34 PM, Tim Chase wrote:
> On 2020-03-02 18:35, Anna Sidwell wrote:
>> Is there any particular reason why it shouldn't look like a button
>> instead of a link?
>
> The concern isn't how it looks (with CSS you can make a button look
> like a link, or make a link look like a button).
On 2020-03-02 18:35, Anna Sidwell wrote:
> Is there any particular reason why it shouldn't look like a button
> instead of a link?
The concern isn't how it looks (with CSS you can make a button look
like a link, or make a link look like a button).
An does the logout action via a GET (and is the
Is there any particular reason why it shouldn't look like a button instead of a
link?
Anna
On Mon, 2 Mar 2020, at 08:27, Aymeric Augustin wrote:
> Hello,
>
> Le dim. 1 mars 2020 à 11:04, Adam Johnson a écrit :
>>> Yes, but then hovering on the link doesn't show the logout URL at the
>>> botto
Hello,
Le dim. 1 mars 2020 à 11:04, Adam Johnson a écrit :
> Yes, but then hovering on the link doesn't show the logout URL at the
>> bottom of the screen.
>
>
> I don't think this is a concern.
>
If it's just the link preview, yes, I think we can make the trade off.
The more general concern h
>
> Yes, but then hovering on the link doesn't show the logout URL at the
> bottom of the screen.
I don't think this is a concern.
On Sat, 29 Feb 2020 at 18:07, אורי wrote:
> Yes, but then hovering on the link doesn't show the logout URL at the
> bottom of the screen.
> אורי
> u...@speedy
Yes, but then hovering on the link doesn't show the logout URL at the
bottom of the screen.
אורי
u...@speedy.net
On Sat, Feb 29, 2020 at 6:01 PM Florian Apolloner
wrote:
> I found an example on stackoverflow on how we could do this in the admin
> without JS (with a bit of styling): https://stac
Hi,
On 2/29/20 5:01 PM, Florian Apolloner wrote:
> I found an example on stackoverflow on how we could do this in the admin
> without JS (with a bit of styling): https://stackoverflow.com/a/33880971
> -- I personally would prefer it if we would not need javascript for a
> fundamental functionality
I found an example on stackoverflow on how we could do this in the admin
without JS (with a bit of styling): https://stackoverflow.com/a/33880971 --
I personally would prefer it if we would not need javascript for a
fundamental functionality like this.
On Saturday, February 29, 2020 at 9:26:23
Google (=Gmail): GET, but with a security token in the URL
Facebook: POST
Instagram: POST
Twitter: POST
On Sat, 29 Feb 2020 at 08:08, אורי wrote:
> I'm interested: Google, Gmail, Facebook, Instagram, Twitter: How do they
> use logout? POST or GET?
> אורי
> u...@speedy.net
>
>
> On Thu, Feb
I'm interested: Google, Gmail, Facebook, Instagram, Twitter: How do they
use logout? POST or GET?
אורי
u...@speedy.net
On Thu, Feb 27, 2020 at 7:10 PM René Fleschenberg
wrote:
> Hi everyone,
>
> there seems to be consensus that logging the client out on GET requests
> to the logout view is not
Hi,
On 2/28/20 5:04 PM, 'Maher, Brian' via Django developers (Contributions
to Django itself) wrote:
> Are any current browsers dumb enough to prefetch logout links these
> days? I would assume that most prefetch algorithms are smart enough to
> not pre-fetch these.
We not only have to consider b
On Friday, February 28, 2020 at 5:08:07 PM UTC+1, Maher, Brian wrote:
>
> Are any current browsers dumb enough to prefetch logout links these days?
> I would assume that most prefetch algorithms are smart enough to not
> pre-fetch these.
>
Not sure what heuristics browsers use.
I have also s
m"
Subject: Re: Deprecating logout via GET
Wow and first ticket referenced in one of those conversations was 12 years ago:
https://code.djangoproject.com/ticket/7989<https://eur03.safelinks.protection.outlook.com/?url=https%3A%2F%2Fcode.djangoproject.com%2Fticket%2F7989&data=01%7C0
Wow and first ticket referenced in one of those conversations was 12 years
ago: https://code.djangoproject.com/ticket/7989
Seems like a of a no-brainer at this point with general support from other
core devs in the past :)
On Fri, 28 Feb 2020 at 00:10, René Fleschenberg
wrote:
> Hi,
>
> On 2/28
Hi,
On 2/28/20 12:12 AM, Adam Johnson wrote:
> > The reason this was not changed yet is backwards compatibility.
>
> Do you have any mailing list / ticket links as reference?
Sorry, I forgot to link them here. The main ticket seems to be
https://code.djangoproject.com/ticket/15619.
Mailing lis
> The reason this was not changed yet is backwards compatibility.
Do you have any mailing list / ticket links as reference?
It should be noted that the popular allauth already doesn’t allow logout by
GET (by default).
Personally I’m in favour.
On Thu, 27 Feb 2020 at 17:10, René Fleschenberg
Hi everyone,
there seems to be consensus that logging the client out on GET requests
to the logout view is not great. Clients may try to prefetch links (this
came up on IRC today). Attackers might annoy users by logging them out
with embedded links to the logout URL.
The reason this was not chang
22 matches
Mail list logo