From 4cb44bd7c0b488dbf5ab19801dbc9200959e8b54 Mon Sep 17 00:00:00 2001
From: Aby James <74111044+8bitaby@users.noreply.github.com>
Date: Tue, 5 Mar 2024 14:56:42 +0530
Subject: [PATCH] Update logout function in base.html

Update logout function in base.html

This commit updates the logout functionality in the base template (`base.html`) to improve security and adhere to best practices. The previous implementation used a simple link for logout, which could be susceptible to cross-site request forgery (CSRF) attacks.

The updated code replaces the logout link with a form submission method, utilizing the POST request with CSRF protection. This approach enhances the security of the logout functionality by ensuring that requests to the logout URL are only accepted from authorized sources, preventing potential unauthorized access or malicious actions.

Additionally, the use of a form submission method allows for better compatibility with server-side processing and future scalability. The form includes a CSRF token to mitigate CSRF attacks, providing an additional layer of security.

By making this change, we are prioritizing security and robustness in our application's authentication mechanisms, aligning with industry best practices and ensuring a safer user experience.

This commit addresses issue #536  and implements the recommended solution. Tested locally to ensure proper functionality.
---
 jazzmin/templates/admin/base.html | 9 ++++++---
 1 file changed, 6 insertions(+), 3 deletions(-)

diff --git a/jazzmin/templates/admin/base.html b/jazzmin/templates/admin/base.html
index ed09bd0d..217f5935 100644
--- a/jazzmin/templates/admin/base.html
+++ b/jazzmin/templates/admin/base.html
@@ -160,9 +160,12 @@
                             <i class="fas fa-key mr-2"></i> {% trans 'Change password' %}
                         </a>
                         <div class="dropdown-divider"></div>
-                        <a href="{% url 'admin:logout' %}" class="dropdown-item">
-                            <i class="fas fa-users mr-2"></i> {% trans 'Log out' %}
-                        </a>
+                        <form action="{% url 'admin:logout' %}" method="post">
+                            {% csrf_token %}
+                            <button type="submit" class="dropdown-item">
+                                <i class="fas fa-users mr-2"></i> {% trans 'Log out' %}
+                            </button>
+                        </form>
                         {% get_user_menu user request.current_app|default:"admin" as user_menu %}
                         {% for link in user_menu %}
                             <div class="dropdown-divider"></div>