I tried reproducing the issues from #110 but without luck. The
workflow looks a little like this:
- User changes their avatar.
- This triggers a POST request to the profile endpoint.
- User clicks "Log out" from the dropdown menu"
- This triggers the post_toast function in js that makes a POST to
/logout, which clears the user's session. Then, on receipt of the
response, the js calls `location.reload`, which replays the
browser's last action, which in our case is the earlier POST
request to the profile endpoint. This is why the browser asks
whether it's OK to resubmit the data _again_. Agreeing resubmits
the first POST request.
- After `location.reload`, since the user is no longer logged in,
they either get a 405 (from the profile edit page) or a 500 (from
the profile overview page).
This PR then changes the `/logout` endpoint from POST to GET, then
updates the header template to change the "Log out" anchor to simply
link to "/logout" instead of calling any js.
Reasoning behind it:
- logout doesn't modify server-side resources, so it's safe to make it a
GET request.
- Making it a GET prevents the browser from ever displaying the "data
resubmit" warning window.
- The "/logout" endpoint can now simply redirect to the homepage.
0e165e17c0