public inbox for [email protected]  
help / color / mirror / Atom feed
Unable to log out of postgresql.org
6+ messages / 3 participants
[nested] [flat]

* Unable to log out of postgresql.org
@ 2026-03-19 22:15  Jack Bonatakis <[email protected]>
  0 siblings, 1 reply; 6+ messages in thread

From: Jack Bonatakis @ 2026-03-19 22:15 UTC (permalink / raw)
  To: [email protected]

Hi all, 

I seem unable to log out of postgresql.org. I have tried in multiple browsers and have received the same error each time.

To reproduce:
 • Log in to https://www.postgresql.org
 • Navigate to the account page https://www.postgresql.org/account/
 • Click `Logout` on the lefthand nav bar
   • The browser network tab shows a `GET` request to https://www.postgresql.org/account/logout/, which returns a 405. 
The expected result is, of course, to be logged out, yet after the 405 I find I am still logged in. I can manually clear cookies to force a logout. 

I do see this in the response header, which leads me to believe the logout call should be a POST, not a GET:
> allow: POST, OPTIONS

Jack


^ permalink  raw  reply  [nested|flat] 6+ messages in thread

* Re: Unable to log out of postgresql.org
@ 2026-03-19 22:21  Daniel Gustafsson <[email protected]>
  parent: Jack Bonatakis <[email protected]>
  0 siblings, 1 reply; 6+ messages in thread

From: Daniel Gustafsson @ 2026-03-19 22:21 UTC (permalink / raw)
  To: Jack Bonatakis <[email protected]>; +Cc: [email protected]

> On 19 Mar 2026, at 23:15, Jack Bonatakis <[email protected]> wrote:

> I seem unable to log out of postgresql.org. I have tried in multiple browsers and have received the same error each time.

I can reproduce that as well.

--
Daniel Gustafsson






^ permalink  raw  reply  [nested|flat] 6+ messages in thread

* Re: Unable to log out of postgresql.org
@ 2026-03-19 23:49  Jack Bonatakis <[email protected]>
  parent: Daniel Gustafsson <[email protected]>
  0 siblings, 1 reply; 6+ messages in thread

From: Jack Bonatakis @ 2026-03-19 23:49 UTC (permalink / raw)
  To: Daniel Gustafsson <[email protected]>; +Cc: [email protected]

Hi Daniel,

Thanks for confirming. I took a look at the repo and have a fix that works locally. Please see the attached patch.

Jack

On Thu, Mar 19, 2026, at 6:21 PM, Daniel Gustafsson wrote:
> > On 19 Mar 2026, at 23:15, Jack Bonatakis <[email protected]> wrote:
> 
> > I seem unable to log out of postgresql.org. I have tried in multiple browsers and have received the same error each time.
> 
> I can reproduce that as well.
> 
> --
> Daniel Gustafsson
> 
> 


Attachments:

  [application/octet-stream] 0001-Render-logout-as-a-POST-form.patch (2.4K, ../../[email protected]/3-0001-Render-logout-as-a-POST-form.patch)
  download | inline diff:
From 639c12e7a8b37707da96a46ea8c5d290590942e5 Mon Sep 17 00:00:00 2001
From: Jack Bonatakis <[email protected]>
Date: Thu, 19 Mar 2026 19:43:53 -0400
Subject: [PATCH] Render logout as a POST form

In order to make the logout link send a POST
we have to render it as a button. This does
that, and styles it to match the existing
links in the sidebar
---
 media/css/main.css       | 15 +++++++++++++++
 pgweb/util/contexts.py   |  2 +-
 templates/base/page.html | 10 +++++++++-
 3 files changed, 25 insertions(+), 2 deletions(-)

diff --git a/media/css/main.css b/media/css/main.css
index 6aed61e0..b6f0ee79 100644
--- a/media/css/main.css
+++ b/media/css/main.css
@@ -848,6 +848,21 @@ input#navbar-toggler {
   font-weight: normal;
 }
 
+#pgSideNav .pg-nav-button {
+  background: none;
+  border: 0;
+  color: var(--pg-sidenav-a-fg-color);
+  cursor: pointer;
+  font: inherit;
+  font-weight: normal;
+  padding: 0;
+}
+
+#pgSideNav .pg-nav-button:hover,
+#pgSideNav .pg-nav-button:active {
+  color: var(--a-highlight-fg-color);
+}
+
 #pgSideNav ul {
   list-style-type: circle;
   padding-left: 1.3em;
diff --git a/pgweb/util/contexts.py b/pgweb/util/contexts.py
index 412b7b61..189bea59 100644
--- a/pgweb/util/contexts.py
+++ b/pgweb/util/contexts.py
@@ -87,7 +87,7 @@ sitenav = {
             {'title': 'Organisations', 'link': '/account/edit/organisations/'},
         ]},
         {'title': 'Change password', 'link': '/account/changepwd/'},
-        {'title': 'Logout', 'link': '/account/logout/'},
+        {'title': 'Logout', 'link': '/account/logout/', 'post': True},
     ],
 }
 
diff --git a/templates/base/page.html b/templates/base/page.html
index 523b53d8..0548912d 100644
--- a/templates/base/page.html
+++ b/templates/base/page.html
@@ -11,7 +11,15 @@
          <ul>
            {%for m in navmenu%}
            {%if not forloop.first %}</li>{%endif%}
-           <li{%if forloop.last%} class="last-child"{%endif%}><a href="{{m.link}}">{{m.title}}</a>
+           <li{%if forloop.last%} class="last-child"{%endif%}>
+            {% if m.post %}
+            <form method="post" action="{{m.link}}">
+              {% csrf_token %}
+              <button type="submit" class="pg-nav-button">{{m.title}}</button>
+            </form>
+            {% else %}
+            <a href="{{m.link}}">{{m.title}}</a>
+            {% endif %}
             {%if m.submenu %}
              <ul>
              {%for sm in m.submenu %}
-- 
2.50.1 (Apple Git-155)



^ permalink  raw  reply  [nested|flat] 6+ messages in thread

* Re: Unable to log out of postgresql.org
@ 2026-03-20 18:26  Magnus Hagander <[email protected]>
  parent: Jack Bonatakis <[email protected]>
  0 siblings, 1 reply; 6+ messages in thread

From: Magnus Hagander @ 2026-03-20 18:26 UTC (permalink / raw)
  To: Jack Bonatakis <[email protected]>; +Cc: Daniel Gustafsson <[email protected]>; [email protected]

Nice spot.

However, this fix won't work. Putting a csrf token on every page is
incompatible with the caching system we have in place.

One way to fix it would be to just allow logout GET again (I think this got
broken on a django upgrade where it wasn't tested). But maybe the better
way to fix it would be to have the logout link go to a page with a POST
form on it, and have that form do what the GET link does now. I assume the
GET is blocked because otherwise someone could trick a user, or redirect
them, to the logout URL and they get logged out. I'm not sure how realistic
or how big of a problem that is, but getting rid of it would not hurt...

Would you be interested in working on a patch for that as well?

//Magnus


On Fri, 20 Mar 2026 at 00:49, Jack Bonatakis <[email protected]> wrote:

> Hi Daniel,
>
> Thanks for confirming. I took a look at the repo and have a fix that works
> locally. Please see the attached patch.
>
> Jack
>
> On Thu, Mar 19, 2026, at 6:21 PM, Daniel Gustafsson wrote:
>
> > On 19 Mar 2026, at 23:15, Jack Bonatakis <[email protected]> wrote:
>
> > I seem unable to log out of postgresql.org. I have tried in multiple
> browsers and have received the same error each time.
>
> I can reproduce that as well.
>
> --
> Daniel Gustafsson
>
>
>
>


^ permalink  raw  reply  [nested|flat] 6+ messages in thread

* Re: Unable to log out of postgresql.org
@ 2026-03-21 01:51  Jack Bonatakis <[email protected]>
  parent: Magnus Hagander <[email protected]>
  0 siblings, 1 reply; 6+ messages in thread

From: Jack Bonatakis @ 2026-03-21 01:51 UTC (permalink / raw)
  To: Magnus Hagander <[email protected]>; +Cc: [email protected]

On Fri, Mar 20, 2026, at 2:26 PM, Magnus Hagander wrote:
> Nice spot.
> 
> However, this fix won't work. Putting a csrf token on every page is incompatible with the caching system we have in place.
> 
> One way to fix it would be to just allow logout GET again (I think this got broken on a django upgrade where it wasn't tested). But maybe the better way to fix it would be to have the logout link go to a page with a POST form on it, and have that form do what the GET link does now. I assume the GET is blocked because otherwise someone could trick a user, or redirect them, to the logout URL and they get logged out. I'm not sure how realistic or how big of a problem that is, but getting rid of it would not hurt...
> 
> Would you be interested in working on a patch for that as well?
> 
> //Magnus

Ah interesting. Yeah, it looks to be a change new with Django 5. I'll have to take a closer look at the existing caching system, but yes I'd be happy to work on an alternative to my patch above. Your proposal seems reasonable and might be the way to go.

Jack 

^ permalink  raw  reply  [nested|flat] 6+ messages in thread

* Re: Unable to log out of postgresql.org
@ 2026-03-25 01:35  Jack Bonatakis <[email protected]>
  parent: Jack Bonatakis <[email protected]>
  0 siblings, 0 replies; 6+ messages in thread

From: Jack Bonatakis @ 2026-03-25 01:35 UTC (permalink / raw)
  To: Magnus Hagander <[email protected]>; +Cc: [email protected]

Okay I think this one will work better. I went with your suggestion of a separate log out page. Note that I added an explicit `@never_cache` decorator since the response headers showed Django wasn't setting Cache-Control automatically. 

Jack

Attachments:

  [application/octet-stream] 0001-Fix-logout-broken-by-Django-5-s-removal-of-GET-based.patch (2.8K, ../../[email protected]/3-0001-Fix-logout-broken-by-Django-5-s-removal-of-GET-based.patch)
  download | inline diff:
From 14047a2473aa1e09a9e4000f9525e55eb65a206b Mon Sep 17 00:00:00 2001
From: Jack Bonatakis <[email protected]>
Date: Tue, 24 Mar 2026 20:10:51 -0400
Subject: [PATCH v2] Fix logout broken by Django 5's removal of GET-based logout

Django 5 no longer allows logout via GET request, which broke the
logout link in the site nav. An earlier fix attempted to embed a
POST form with a CSRF token directly in the nav, but that approach
is incompatible with the site's caching setup as pages with embedded
CSRF tokens cannot be shared across users by Varnish.

Instead, the logout link remains a plain GET link (no CSRF token on
cached pages). The logout view now renders a confirmation page on
GET, and only performs the actual logout on POST. The CSRF token
lives on that confirmation page alone, which is user-specific and
not cached.

The view is also marked @never_cache, since Django does not
automatically set Cache-Control headers here and Varnish is in
front of the application.
---
 pgweb/account/views.py        |  6 +++++-
 templates/account/logout.html | 11 +++++++++++
 2 files changed, 16 insertions(+), 1 deletion(-)
 create mode 100644 templates/account/logout.html

diff --git a/pgweb/account/views.py b/pgweb/account/views.py
index 4f6cfa78..7a0a30de 100644
--- a/pgweb/account/views.py
+++ b/pgweb/account/views.py
@@ -6,6 +6,7 @@ from django.core.exceptions import PermissionDenied
 from django.shortcuts import get_object_or_404
 from pgweb.util.decorators import login_required, script_sources, frame_sources, content_sources, queryparams
 from django.views.decorators.csrf import csrf_exempt
+from django.views.decorators.cache import never_cache
 from django.utils.encoding import force_bytes
 from django.utils.http import urlsafe_base64_encode
 from django.contrib.auth.tokens import default_token_generator
@@ -406,8 +407,11 @@ def login(request):
                                        })(request)
 
 
+@never_cache
 def logout(request):
-    return authviews.logout_then_login(request, login_url='/')
+    if request.method == 'POST':
+        return authviews.logout_then_login(request, login_url='/')
+    return render_pgweb(request, 'account', 'account/logout.html', {})
 
 
 def changepwd(request):
diff --git a/templates/account/logout.html b/templates/account/logout.html
new file mode 100644
index 00000000..6b40764e
--- /dev/null
+++ b/templates/account/logout.html
@@ -0,0 +1,11 @@
+{%extends "base/page.html"%}
+{%block title%}Log out{%endblock%}
+{%block contents%}
+<h1>Log out</h1>
+<p>Are you sure you want to log out of your PostgreSQL community account?</p>
+<form method="post" action="/account/logout/">
+  {% csrf_token %}
+  <input class="btn btn-primary" type="submit" value="Log out">
+  <a href="/account/" class="btn btn-default">Cancel</a>
+</form>
+{%endblock%}
-- 
2.50.1 (Apple Git-155)



^ permalink  raw  reply  [nested|flat] 6+ messages in thread


end of thread, other threads:[~2026-03-25 01:35 UTC | newest]

Thread overview: 6+ messages (download: mbox mbox.gz follow: Atom feed)
-- links below jump to the message on this page --
2026-03-19 22:15 Unable to log out of postgresql.org Jack Bonatakis <[email protected]>
2026-03-19 22:21 ` Daniel Gustafsson <[email protected]>
2026-03-19 23:49   ` Jack Bonatakis <[email protected]>
2026-03-20 18:26     ` Magnus Hagander <[email protected]>
2026-03-21 01:51       ` Jack Bonatakis <[email protected]>
2026-03-25 01:35         ` Jack Bonatakis <[email protected]>

This inbox is served by agora; see mirroring instructions
for how to clone and mirror all data and code used for this inbox