Fixed #25490 -- Made the logout() view send "no-cache" headers.

2015-10-01 12:52:18 -07:00 · 2015-10-01 12:52:18 -07:00 · adcf823359
parent 37a5a36321
commit adcf823359
3 changed files with 13 additions and 0 deletions
--- a/django/contrib/auth/views.py
+++ b/django/contrib/auth/views.py
@ -92,6 +92,7 @@ def login(request, template_name='registration/login.html',


@deprecate_current_app
+@never_cache
 def logout(request, next_page=None,
           template_name='registration/logged_out.html',
           redirect_field_name=REDIRECT_FIELD_NAME,
--- a/docs/releases/1.10.txt
+++ b/docs/releases/1.10.txt
@ -47,6 +47,10 @@ Minor features
  subclassed ``django.contrib.auth.hashers.PBKDF2PasswordHasher`` to change the
  default value.

+* The :func:`~django.contrib.auth.views.logout` view sends "no-cache" headers
+  to prevent an issue where Safari caches redirects and prevents a user from
+  being able to log out.
+
 :mod:`django.contrib.contenttypes`
 ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^

--- a/tests/auth_tests/test_views.py
+++ b/tests/auth_tests/test_views.py
@ -770,6 +770,14 @@ class LogoutTest(AuthViewsTestCase):
        response = self.client.get('/logout/')
        self.assertIn('site', response.context)

+    def test_logout_doesnt_cache(self):
+        """
+        The logout() view should send "no-cache" headers for reasons described
+        in #25490.
+        """
+        response = self.client.get('/logout/')
+        self.assertIn('no-store', response['Cache-Control'])
+
    def test_logout_with_overridden_redirect_url(self):
        # Bug 11223
        self.login()