only logout with POST, fixes #126

Author: peterbe

mozilla_django_oidc/views.py

@@ -123,7 +123,7 @@ def redirect_url(self):
         """Return the logout url defined in settings."""
         return import_from_settings('LOGOUT_REDIRECT_URL', '/')
 
-    def dispatch(self, request, *args, **kwargs):
+    def post(self, request):
         """Log out the user."""
         logout_url = self.redirect_url
 

tests/test_views.py

@@ -301,22 +301,17 @@ def test_get(self):
         request.user = user
         logout_view = views.OIDCLogoutView.as_view()
 
-        with patch('mozilla_django_oidc.views.auth.logout') as mock_logout:
-            response = logout_view(request)
-            mock_logout.assert_called_once_with(request)
-
-        self.assertEqual(response.status_code, 302)
-        self.assertEqual(response.url, '/example-logout')
+        response = logout_view(request)
+        self.assertEqual(response.status_code, 405)
 
     @override_settings(LOGOUT_REDIRECT_URL='/example-logout')
     def test_get_anonymous_user(self):
         url = reverse('oidc_logout')
-        request = self.factory.get(url)
+        request = self.factory.post(url)
         request.user = AnonymousUser()
         logout_view = views.OIDCLogoutView.as_view()
 
         response = logout_view(request)
-
         self.assertEqual(response.status_code, 302)
         self.assertEqual(response.url, '/example-logout')