Merge pull request #406 from johngian/fix-405

Add configuration to opt in logout using GET

Author: akatsoulas

docs/settings.rst

@@ -257,3 +257,9 @@ of ``mozilla-django-oidc``.
    :default: False
 
    Use HTTP Basic Authentication instead of sending the client secret in token request POST body.
+
+.. py:attribute:: ALLOW_LOGOUT_GET_METHOD
+
+   :default: False
+
+   Allow using GET method to logout user

mozilla_django_oidc/views.py

@@ -2,7 +2,7 @@
 
 from django.contrib import auth
 from django.core.exceptions import SuspiciousOperation
-from django.http import HttpResponseRedirect
+from django.http import HttpResponseRedirect, HttpResponseNotAllowed
 from django.urls import reverse
 from django.utils.crypto import get_random_string
 
@@ -202,7 +202,7 @@ def redirect_url(self):
         """Return the logout url defined in settings."""
         return self.get_settings('LOGOUT_REDIRECT_URL', '/')
 
-    def get(self, request):
+    def post(self, request):
         """Log out the user."""
         logout_url = self.redirect_url
 
@@ -218,6 +218,8 @@ def get(self, request):
 
         return HttpResponseRedirect(logout_url)
 
-    def post(self, request):
+    def get(self, request):
         """Log out the user."""
-        return self.get(request)
+        if self.get_settings("ALLOW_LOGOUT_GET_METHOD", False):
+            return self.post(request)
+        return HttpResponseNotAllowed(["POST"])