Merged in [19876] from jennifer@painless-security.com:

Do not redirect user to the logout page when logging in. Fixes #3478. - Legacy-Id: 19881 Note: SVN reference [19876] has been migrated to Git commit c4bf508cd8
2022-01-27 18:01:05 +00:00 · 2022-01-27 18:01:05 +00:00 · 0205d13a0a
parent 103cc15cec c4bf508cd8
commit 0205d13a0a
3 changed files with 19 additions and 1 deletions
--- a/ietf/doc/templatetags/ietf_filters.py
+++ b/ietf/doc/templatetags/ietf_filters.py
@ -394,6 +394,23 @@ def expires_soon(x,request):
 def startswith(x, y):
    return str(x).startswith(y)

+
+@register.filter(name='removesuffix', is_safe=False)
+def removesuffix(value, suffix):
+    """Remove an exact-match suffix
+    
+    The is_safe flag is False because indiscriminate use of this could result in non-safe output.
+    See https://docs.djangoproject.com/en/2.2/howto/custom-template-tags/#filters-and-auto-escaping
+    which describes the possibility that removing characters from an escaped string may introduce
+    HTML-unsafe output.
+    """
+    base = str(value)
+    if base.endswith(suffix):
+        return base[:-len(suffix)]
+    else:
+        return base
+
+
@register.filter
 def has_role(user, role_names):
    from ietf.ietfauth.utils import has_role
--- a/ietf/ietfauth/tests.py
+++ b/ietf/ietfauth/tests.py
@ -95,6 +95,7 @@ class IetfAuthTests(TestCase):
        # try logging out
        r = self.client.get(urlreverse('django.contrib.auth.views.logout'))
        self.assertEqual(r.status_code, 200)
+        self.assertNotContains(r, "accounts/logout")

        r = self.client.get(urlreverse(ietf.ietfauth.views.profile))
        self.assertEqual(r.status_code, 302)
--- a/ietf/templates/base.html
+++ b/ietf/templates/base.html
@ -72,7 +72,7 @@
            </ul>
        {% if not user.is_authenticated %}
            <p class="navbar-text"></p>
-            <a class="btn {% if server_mode and server_mode == "production" %}btn-warning{% else %}btn-default{% endif %} btn-sm navbar-btn" rel="nofollow" href="/accounts/login/?next={{request.get_full_path|urlencode}}">Sign in</a>
+            <a class="btn {% if server_mode and server_mode == "production" %}btn-warning{% else %}btn-default{% endif %} btn-sm navbar-btn" rel="nofollow" href="/accounts/login/?next={{request.get_full_path|removesuffix:"accounts/logout/"|urlencode}}">Sign in</a>
        {% endif %}

 	    <form class="navbar-form navbar-right hidden-xs" action="/doc/search/">