Add logout as POST action

for now, there is nothing when /exit is called manually
2025-05-05 12:41:49 +02:00 · 2022-07-12 12:46:36 +02:00 · 2022-07-12 12:46:36 +02:00 · 498ceec9f5
commit 498ceec9f5
parent 91280a5d88
3 changed files with 26 additions and 7 deletions
--- a/ihatemoney/forms.py
+++ b/ihatemoney/forms.py
@ -443,6 +443,10 @@ class InviteForm(FlaskForm):
                )


+class ConfirmLogoutForm(FlaskForm):
+    submit = SubmitField(_("Logout"))
+
+
 class EmptyForm(FlaskForm):
    """Used for CSRF validation"""

--- a/ihatemoney/templates/layout.html
+++ b/ihatemoney/templates/layout.html
@ -119,9 +119,10 @@
            <li><a class="dropdown-item" href="{{ url_for("main.dashboard") }}">{{ _("Dashboard") }}</a></li>
            {% endif %}
            <li>
-              <a class="dropdown-item" href="{{ url_for("main.exit") }}">
-                {{ _("Logout") }}
-              </a>
+              <form action="{{ url_for("main.exit") }}" method="post">
+                {{ g.confirm_logout_form.hidden_tag() }}
+                {{ g.confirm_logout_form.submit(class="dropdown-item") }}
+              </form>
            </li>
          </ul>
        </li>
--- a/ihatemoney/web.py
+++ b/ihatemoney/web.py
@ -40,6 +40,7 @@ from ihatemoney.emails import send_creation_email
 from ihatemoney.forms import (
    AdminAuthenticationForm,
    AuthenticationForm,
+    ConfirmLogoutForm,
    DestructiveActionProjectForm,
    EditProjectForm,
    EmptyForm,
@ -149,6 +150,7 @@ def pull_project(endpoint, values):
        if session.get(project.id) or is_admin or is_invitation:
            # add project into kwargs and call the original function
            g.project = project
+            g.confirm_logout_form = ConfirmLogoutForm()
        else:
            # redirect to authentication page
            raise Redirect303(url_for(".authenticate", project_id=project_id))
@ -534,11 +536,23 @@ def export_project(file, format):
    )


-@main.route("/exit")
+@main.route("/exit", methods=["GET", "POST"])
 def exit():
-    # delete the session
-    session.clear()
-    return redirect(url_for(".home"))
+    # We must test it manually, because otherwise, it creates a project "exit"
+    if request.method == "GET":
+        abort(405)
+
+    form = ConfirmLogoutForm()
+    if form.validate():
+        # delete the session
+        session.clear()
+        return redirect(url_for(".home"))
+    else:
+        flash(
+            format_form_errors(form, _("Unable to logout")),
+            category="danger",
+        )
+        return redirect(request.headers.get("Referer") or url_for(".home"))


@main.route("/demo")