changed logout to post

Issue #612

4 files changed, 22 insertions, 3 deletions

diff --git a/service/pixelated/resources/logout_resource.py b/service/pixelated/resources/logout_resource.py
index fe80316e..344ad2e9 100644
--- a/service/pixelated/resources/logout_resource.py
+++ b/service/pixelated/resources/logout_resource.py
@@ -8,7 +8,7 @@ class LogoutResource(BaseResource):
     BASE_URL = "logout"
     isLeaf = True
 
-    def render_GET(self, request):
+    def render_POST(self, request):
         session = self.get_session(request)
         self._services_factory.log_out_user(session.user_uuid)
         session.expire()
diff --git a/service/test/integration/test_logout.py b/service/test/integration/test_logout.py
index 52f7e34f..da414126 100644
--- a/service/test/integration/test_logout.py
+++ b/service/test/integration/test_logout.py
@@ -13,10 +13,11 @@
 #
 # You should have received a copy of the GNU Affero General Public License
 # along with Pixelated. If not, see <http://www.gnu.org/licenses/>.
+import json
+
 from mockito import verify
 from twisted.internet import defer
 
-from test.support.integration import load_mail_from_file
 from test.support.integration.multi_user_client import MultiUserClient
 from test.support.integration.soledad_test_base import SoledadTestBase
 
@@ -34,7 +35,8 @@ class MultiUserLogoutTest(MultiUserClient, SoledadTestBase):
 
         yield self.wait_for_session_user_id_to_finish()
 
-        response, request = self.get("/logout", as_json=False, from_request=login_request)
+        response, request = self.post("/logout", json.dumps({'csrftoken': [login_request.getCookie('XSRF-TOKEN')]}),
+                                      from_request=login_request, as_json=False)
         yield response
 
         self.assertEqual(302, request.responseCode)     # redirected
diff --git a/service/test/support/integration/multi_user_client.py b/service/test/support/integration/multi_user_client.py
index fa65fb06..5f24456b 100644
--- a/service/test/support/integration/multi_user_client.py
+++ b/service/test/support/integration/multi_user_client.py
@@ -82,3 +82,12 @@ class MultiUserClient(AppTestClient):
             session = from_request.getSession()
             request.session = session
         return self._render(request, as_json)
+
+    def post(self, path, body='', headers=None, ajax=True, csrf='token', as_json=True, from_request=None):
+        headers = headers or {'Content-Type': 'application/json'}
+        request = request_mock(path=path, method="POST", body=body, headers=headers, ajax=ajax, csrf=csrf)
+
+        if from_request:
+            session = from_request.getSession()
+            request.session = session
+        return self._render(request, as_json)
diff --git a/service/test/unit/resources/test_logout_resources.py b/service/test/unit/resources/test_logout_resources.py
index 48cf9db9..6246eeb9 100644
--- a/service/test/unit/resources/test_logout_resources.py
+++ b/service/test/unit/resources/test_logout_resources.py
@@ -1,6 +1,7 @@
 from mock import patch
 from mockito import mock, verify
 from twisted.trial import unittest
+from twisted.web.error import UnsupportedMethod
 from twisted.web.test.requesthelper import DummyRequest
 
 from pixelated.resources.logout_resource import LogoutResource
@@ -16,6 +17,7 @@ class TestLogoutResource(unittest.TestCase):
     @patch('twisted.web.util.redirectTo')
     def test_logout(self, mock_redirect):
         request = DummyRequest(['/logout'])
+        request.method = 'POST'
 
         mock_redirect.return_value = 'haha'
 
@@ -29,3 +31,9 @@ class TestLogoutResource(unittest.TestCase):
 
         d.addCallback(expire_session_and_redirect)
         return d
+
+    def test_get_is_not_supported_for_logout(self):
+        request = DummyRequest(['/logout'])
+        request.method = 'GET'
+
+        self.assertRaises(UnsupportedMethod, self.web.get, request)