From c9235146e0102d03bb4548711cd0b3b0637d81fa Mon Sep 17 00:00:00 2001
From: Tres Seaver <tseaver@palladion.com>
Date: Sun, 9 Jun 2024 16:28:34 -0400
Subject: docs: remove 'came_from' from login view

- The narrative doesn't discuss this (mis-)feature.

- Without any authorization, there is no meaninful reason to remember
  the 'previous' page.

- As a general rule, we want to avoid trusting user-supplied data (i.e.,
  from the query string or form params) when constructing redirect URLs.
---
 docs/quick_tutorial/authentication.rst               | 2 +-
 docs/quick_tutorial/authentication/tutorial/home.pt  | 6 ++++--
 docs/quick_tutorial/authentication/tutorial/login.pt | 2 --
 docs/quick_tutorial/authentication/tutorial/views.py | 7 +------
 4 files changed, 6 insertions(+), 11 deletions(-)

diff --git a/docs/quick_tutorial/authentication.rst b/docs/quick_tutorial/authentication.rst
index 3f6df17de..da76f3ec7 100644
--- a/docs/quick_tutorial/authentication.rst
+++ b/docs/quick_tutorial/authentication.rst
@@ -137,7 +137,7 @@ Subsequent requests return that cookie and identify the user.
 In our template, we fetched the ``logged_in`` value from the view class. We use
 this to calculate the logged-in user, if any. In the template we can then
 choose to show a login link to anonymous visitors or a logout link to logged-in
-users.
+users, including their login name.
 
 
 Extra credit
diff --git a/docs/quick_tutorial/authentication/tutorial/home.pt b/docs/quick_tutorial/authentication/tutorial/home.pt
index ed911b673..0e8508558 100644
--- a/docs/quick_tutorial/authentication/tutorial/home.pt
+++ b/docs/quick_tutorial/authentication/tutorial/home.pt
@@ -8,8 +8,10 @@
 <div>
     <a tal:condition="view.logged_in is None"
             href="${request.application_url}/login">Log In</a>
-    <a tal:condition="view.logged_in is not None"
-            href="${request.application_url}/logout">Logout</a>
+    <span tal:condition="view.logged_in is not None">
+     <a href="${request.application_url}/logout">Logout</a>
+        as ${view.logged_in}
+    </span>
 </div>
 
 <h1>Hi ${name}</h1>
diff --git a/docs/quick_tutorial/authentication/tutorial/login.pt b/docs/quick_tutorial/authentication/tutorial/login.pt
index 9e5bfe2ad..db8080fc8 100644
--- a/docs/quick_tutorial/authentication/tutorial/login.pt
+++ b/docs/quick_tutorial/authentication/tutorial/login.pt
@@ -8,8 +8,6 @@
 <span tal:replace="message"/>
 
 <form action="${url}" method="post">
-    <input type="hidden" name="came_from"
-           value="${came_from}"/>
     <label for="login">Username</label>
     <input type="text" id="login"
            name="login"
diff --git a/docs/quick_tutorial/authentication/tutorial/views.py b/docs/quick_tutorial/authentication/tutorial/views.py
index b2d9354ec..7c57d6371 100644
--- a/docs/quick_tutorial/authentication/tutorial/views.py
+++ b/docs/quick_tutorial/authentication/tutorial/views.py
@@ -33,10 +33,6 @@ class TutorialViews:
     def login(self):
         request = self.request
         login_url = request.route_url('login')
-        referrer = request.url
-        if referrer == login_url:
-            referrer = '/'  # never use login form itself as came_from
-        came_from = request.params.get('came_from', referrer)
         message = ''
         login = ''
         password = ''
@@ -46,7 +42,7 @@ class TutorialViews:
             hashed_pw = USERS.get(login)
             if hashed_pw and check_password(password, hashed_pw):
                 headers = remember(request, login)
-                return HTTPFound(location=came_from,
+                return HTTPFound(location=request.route_url("home"),
                                  headers=headers)
             message = 'Failed login'
 
@@ -54,7 +50,6 @@ class TutorialViews:
             name='Login',
             message=message,
             url=request.application_url + '/login',
-            came_from=came_from,
             login=login,
             password=password,
         )
-- 
cgit v1.2.3