How to disable intermediate signout page in Django allauth

前端 未结 3 991
太阳男子
太阳男子 2021-02-18 19:24

How to disable the intermediate signout page from django allauth. When the user clicks on the signout link on my site I want him to logout right away, I want to remove this inte

相关标签:
3条回答
  • 2021-02-18 19:38

    Set ACCOUNT_LOGOUT_ON_GET to True in your settings.

    Also see the documentation

    0 讨论(0)
  • 2021-02-18 19:44

    Updated for December 2018.

    Using a GET request is probably a bad idea due to browsers prefetching urls from the URL bar. Chrome (as of right now) is pretty bad for this; it'll send a GET request to pages it think you'll hit enter on when typing in your URL bar.

    Plus, people can add a link such as <img src="https://example.com/account/logout/"> and you'll be logged out. That's not a security risk since it's logging you out, but it is certainly annoying for your users.

    Instead, you should consider using a POST request using a form with CSRF. Django Allauth already comes with this. Here's the <form> from the intermediate signout page:

    <form method="post" action="{% url 'account_logout' %}">
      {% csrf_token %}
      {% if redirect_field_value %}
        <input type="hidden" name="{{ redirect_field_name }}" value="{{ redirect_field_value }}"/>
      {% endif %}
      <button class="STYLE_ME" type="submit">Logout</button>
    </form>
    

    In my case, I just added this to the site header and made the submit <button> look like every other link using CSS so it feels the same to them, but the form will use a POST request.

    But if that's not a solution you can implement for any reason, open your settings.py file (or your main settings file) and set:

    ACCOUNT_LOGOUT_ON_GET = True 
    

    ^ The above setting will do what you need. For further Django Allauth settings, check out their configuration page at https://django-allauth.readthedocs.io/en/latest/configuration.html?highlight=ACCOUNT_LOGOUT_ON_GET

    0 讨论(0)
  • 2021-02-18 19:49

    Here's another shortcut for preserving the POST request, if you don't want to mess with styling the form button with something like this:

    Hide the form:

    <form style='display: none;' method="post" action="{% url 'account_logout' %}">
      {% csrf_token %}
      <input type="hidden" name="next" value="/redirect_target/"/>
      <button id="signOutBtn" type="submit">Logout</button>
    </form>
    

    Submit with a click event attached to whatever element you've already styled:

    $(document).on('click', '#signOutLink', function() {
        $('#signOutBtn').click()
    });
    
    0 讨论(0)
提交回复
热议问题