docs: remove 'came_from' from login view

- The narrative doesn't discuss this (mis-)feature. - Without any authorization, there is no meaninful reason to remember the 'previous' page. - As a general rule, we want to avoid trusting user-supplied data (i.e., from the query string or form params) when constructing redirect URLs.
Pylons · Jun 10, 2024 · c923514 · c923514
1 parent 72f6185
commit c923514
Show file tree

Hide file tree

Showing 4 changed files with 6 additions and 11 deletions.
diff --git a/docs/quick_tutorial/authentication.rst b/docs/quick_tutorial/authentication.rst
@@ -137,7 +137,7 @@ Subsequent requests return that cookie and identify the user.
 In our template, we fetched the ``logged_in`` value from the view class. We use
 this to calculate the logged-in user, if any. In the template we can then
 choose to show a login link to anonymous visitors or a logout link to logged-in
-users.
+users, including their login name.
 
 
 Extra credit

diff --git a/docs/quick_tutorial/authentication/tutorial/home.pt b/docs/quick_tutorial/authentication/tutorial/home.pt
@@ -8,8 +8,10 @@
 <div>
     <a tal:condition="view.logged_in is None"
             href="${request.application_url}/login">Log In</a>
-    <a tal:condition="view.logged_in is not None"
-            href="${request.application_url}/logout">Logout</a>
+    <span tal:condition="view.logged_in is not None">
+     <a href="${request.application_url}/logout">Logout</a>
+        as ${view.logged_in}
+    </span>
 </div>
 
 <h1>Hi ${name}</h1>

diff --git a/docs/quick_tutorial/authentication/tutorial/login.pt b/docs/quick_tutorial/authentication/tutorial/login.pt
@@ -8,8 +8,6 @@
 <span tal:replace="message"/>
 
 <form action="${url}" method="post">
-    <input type="hidden" name="came_from"
-           value="${came_from}"/>
     <label for="login">Username</label>
     <input type="text" id="login"
            name="login"

diff --git a/docs/quick_tutorial/authentication/tutorial/views.py b/docs/quick_tutorial/authentication/tutorial/views.py
@@ -33,10 +33,6 @@ def hello(self):
     def login(self):
         request = self.request
         login_url = request.route_url('login')
-        referrer = request.url
-        if referrer == login_url:
-            referrer = '/'  # never use login form itself as came_from
-        came_from = request.params.get('came_from', referrer)
         message = ''
         login = ''
         password = ''
@@ -46,15 +42,14 @@ def login(self):
             hashed_pw = USERS.get(login)
             if hashed_pw and check_password(password, hashed_pw):
                 headers = remember(request, login)
-                return HTTPFound(location=came_from,
+                return HTTPFound(location=request.route_url("home"),
                                  headers=headers)
             message = 'Failed login'
 
         return dict(
             name='Login',
             message=message,
             url=request.application_url + '/login',
-            came_from=came_from,
             login=login,
             password=password,
         )