Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Don't use "/logout" as the next-url for login #25086

Merged
merged 1 commit into from
Oct 5, 2020
Merged

Don't use "/logout" as the next-url for login #25086

merged 1 commit into from
Oct 5, 2020

Conversation

nedbat
Copy link
Contributor

@nedbat nedbat commented Sep 24, 2020

If /logout is the current page, redirecting back there after logging in
makes the whole exercise pointless.

Don't use a login next-url of /logout
3ee5a3d 
If /logout is the current page, redirecting back there after logging in
makes the whole exercise pointless.
@edx-status-bot
Copy link

Your PR has finished running tests. There were no failures.

@nedbat
Copy link
Contributor Author

nedbat commented Sep 24, 2020

@kdmccormick @cpennington Is there a reasonable place to put a test? Is it needed?

@kdmccormick
Copy link
Member

kdmccormick commented Sep 24, 2020
edited
Loading

@nedbat Since we ripped out bokchoy, I don't think there's an obvious way to test templates. So if you go this route, then no, don't bother testing it.

You could also put the change deeper in the backend: all LMS 'next' params go through is_safe_login_or_logout_redirect. Doing the validation there would stop this from popping up on the eventual MFE login/logout page.

@nedbat
Copy link
Contributor Author

nedbat commented Sep 25, 2020

I'd want to understand it a little better, but at a first look, is_safe_login_or_logout_redirect doesn't seem right: if it rejects "/logout", its caller will log a warning message about an unsafe redirect. That would add a lot of misleading noise to the logs.

kdmccormick
kdmccormick approved these changes Oct 5, 2020
View reviewed changes
Copy link
Member

@kdmccormick kdmccormick left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

if it rejects "/logout", its caller will log a warning message about an unsafe redirect. That would add a lot of misleading noise to the logs.

Good point. And I could see it argued that this is more of a front-end concern, anyway: there's nothing wrong or unsafe about redirecting to /logout, it's just bad UX.

Anyway, thanks for fixing this, LGTM 👍

@nedbat nedbat merged commit 17bc82c into master Oct 5, 2020
@nedbat nedbat deleted the nedbat/logout-login branch October 5, 2020 21:13
@edx-pipeline-bot
Copy link
Contributor

EdX Release Notice: This PR has been deployed to the staging environment in preparation for a release to production.

@edx-pipeline-bot
Copy link
Contributor

EdX Release Notice: This PR has been deployed to the production environment.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@kdmccormick kdmccormick kdmccormick approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
4 participants
@nedbat @edx-status-bot @kdmccormick @edx-pipeline-bot