Move the anti-referrer login to only logout

This has no functional difference, just a cosmetic difference that does not give the erroneous impression a logout actually occurred. This does mean that if a browser disables cookies and uses the api explorer, there would be an opportunity for a CSRF.
2026-04-12 20:01:30 +00:00 · 2016-11-30 10:15:44 -05:00
parent bf8dff90f3
commit d2156f3d67
1 changed files with 6 additions and 4 deletions
--- a/confluent_server/confluent/httpapi.py
+++ b/confluent_server/confluent/httpapi.py
@@ -283,11 +283,13 @@ def _authorize_request(env, operation):
                        name, element=None,
                        skipuserobj=httpsessions[sessionid]['skipuserobject'])
    if (not authdata) and 'HTTP_AUTHORIZATION' in env:
-        # We do not allow a link into the api browser to come in with just
-        # username and password
-        if 'HTTP_REFERER' in env:
-            return {'code': 401}
        if env['PATH_INFO'] == '/sessions/current/logout':
+            if 'HTTP_REFERER' in env:
+                # note that this doesn't actually do harm
+                # otherwise, but this way do not give appearance
+                # of something having a side effect if it has the smell
+                # of a CSRF
+                return {'code': 401}
            return ('logout',)
        name, passphrase = base64.b64decode(
            env['HTTP_AUTHORIZATION'].replace('Basic ', '')).split(':', 1)