Configuration to disable reloading of POSTs (and maybe other verbs) #243
Comments
evansd
added a commit
to opensafely-core/job-server
that referenced
this issue
Feb 8, 2024
In development, this causes the single-use token page to be unexpectedly reloaded, thus generating a new token and causing confusion. This is a (hopefully) temporary workaround in advance of this being a configurable option in `django-browser-reload`: adamchainz/django-browser-reload#243
|
What situations do you consider returning content from a POST as valid? I always try to apply “Post/Redirect/Get”. Users might re-POST accidentally by pressing refresh, restarting their browser, or whatever. Still, let’s add a check that the page was loaded with GET. No need to make it configurable. I think it should work to only render/inject the template tag for GET requests. Can you give that a try and make a PR? |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Description
By default, POSTs will be auto reloaded, and can mutate state depending on the url behaviour.
Often, a POST will redirect, so it's not a problem. But sometimes returning content directly from the POST response is valid. If a user leaves the page open, it will then be reloaded as a POST, which I don't think is desirable.
As an example, we had a POST view that generates a one-time password to use. We store the hashed version in the db, but display the plain text version to the user in the POST response body. When django-browser-reload reloads the page, it does a POST (which in our cases generates a new one-time password, invalidating the old one). We don't redirect as we don't want to store the plain text version of the password in a url (or in the session, ideally).
Would you support the idea of config option to disable reloading of anything except GETs? On by default, for b/w compat?
The text was updated successfully, but these errors were encountered: