Fixed #15619 -- Deprecated log out via GET requests.

Thanks Florian Apolloner for the implementation idea. Co-Authored-By: Mariusz Felisiak <felisiak.mariusz@gmail.com>
2025-10-11 11:02:12 +00:00 · 2020-02-27 17:55:29 +01:00 · 2020-02-27 17:55:29 +01:00 · eb07b5be0c
commit eb07b5be0c
parent d4bf3b4c75
6 changed files with 122 additions and 30 deletions
--- a/docs/internals/deprecation.txt
+++ b/docs/internals/deprecation.txt
@ -90,6 +90,10 @@ details on these changes.
 * ``created=True`` will be required in the signature of
  ``RemoteUserBackend.configure_user()`` subclasses.

+* Support for logging out via ``GET`` requests in the
+  ``django.contrib.auth.views.LogoutView`` and
+  ``django.contrib.auth.views.logout_then_login()`` will be removed.
+
 .. _deprecation-removed-in-4.1:

 4.1
--- a/docs/releases/4.1.txt
+++ b/docs/releases/4.1.txt
@ -446,6 +446,36 @@ Miscellaneous
 Features deprecated in 4.1
 ==========================

+Log out via GET
+---------------
+
+Logging out via ``GET`` requests to the :py:class:`built-in logout view
+<django.contrib.auth.views.LogoutView>` is deprecated. Use ``POST`` requests
+instead.
+
+If you want to retain the user experience of an HTML link, you can use a form
+that is styled to appear as a link:
+
+.. code-block:: html
+
+  <form id="logout-form" method="post" action="{% url 'admin:logout' %}">
+    {% csrf_token %}
+    <button type="submit">{% translate "Log out" %}</button>
+  </form>
+
+.. code-block:: css
+
+  #logout-form {
+    display: inline;
+  }
+  #logout-form button {
+    background: none;
+    border: none;
+    cursor: pointer;
+    padding: 0;
+    text-decoration: underline;
+  }
+
 Miscellaneous
 -------------

--- a/docs/topics/auth/default.txt
+++ b/docs/topics/auth/default.txt
@ -1160,7 +1160,12 @@ implementation details see :ref:`using-the-views`.

 .. class:: LogoutView

-    Logs a user out.
+    Logs a user out on ``POST`` requests.
+
+    .. deprecated:: 4.1
+
+        Support for logging out on ``GET`` requests is deprecated and will be
+        removed in Django 5.0.

    **URL name:** ``logout``

@ -1212,7 +1217,7 @@ implementation details see :ref:`using-the-views`.

 .. function:: logout_then_login(request, login_url=None)

-    Logs a user out, then redirects to the login page.
+    Logs a user out on ``POST`` requests, then redirects to the login page.

    **URL name:** No default URL provided

@ -1221,6 +1226,11 @@ implementation details see :ref:`using-the-views`.
    * ``login_url``: The URL of the login page to redirect to.
      Defaults to :setting:`settings.LOGIN_URL <LOGIN_URL>` if not supplied.

+    .. deprecated:: 4.1
+
+        Support for logging out on ``GET`` requests is deprecated and will be
+        removed in Django 5.0.
+
 .. class:: PasswordChangeView

    **URL name:** ``password_change``