From c9235146e0102d03bb4548711cd0b3b0637d81fa Mon Sep 17 00:00:00 2001 From: Tres Seaver Date: Sun, 9 Jun 2024 16:28:34 -0400 Subject: docs: remove 'came_from' from login view - The narrative doesn't discuss this (mis-)feature. - Without any authorization, there is no meaninful reason to remember the 'previous' page. - As a general rule, we want to avoid trusting user-supplied data (i.e., from the query string or form params) when constructing redirect URLs. --- docs/quick_tutorial/authentication.rst | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'docs/quick_tutorial/authentication.rst') diff --git a/docs/quick_tutorial/authentication.rst b/docs/quick_tutorial/authentication.rst index 3f6df17de..da76f3ec7 100644 --- a/docs/quick_tutorial/authentication.rst +++ b/docs/quick_tutorial/authentication.rst @@ -137,7 +137,7 @@ Subsequent requests return that cookie and identify the user. In our template, we fetched the ``logged_in`` value from the view class. We use this to calculate the logged-in user, if any. In the template we can then choose to show a login link to anonymous visitors or a logout link to logged-in -users. +users, including their login name. Extra credit -- cgit v1.2.3