Fix tests: Logout must now be a post not get request. Use mark_safe on SubmitButtonWidget.

frjo · frjo · commit 836b0fb40079 · 2026-01-11T11:39:25.000+01:00
diff --git a/hypha/apply/review/forms.py b/hypha/apply/review/forms.py
@@ -1,6 +1,7 @@
 from django import forms
 from django.core.exceptions import NON_FIELD_ERRORS
 from django.utils.html import escape
+from django.utils.safestring import mark_safe
 
 from hypha.apply.review.options import NA
 from hypha.apply.stream_forms.forms import StreamBaseForm
@@ -113,10 +114,12 @@ def calculate_score(self, data):
 class SubmitButtonWidget(forms.Widget):
     def render(self, name, value, attrs=None, renderer=None):
         disabled = "disabled" if attrs.get("disabled") else ""
-        return '<input type="submit" name="{name}" value="{value}" class="btn btn-primary" {disabled}>'.format(
-            disabled=disabled,
-            name=escape(name),
-            value=escape(name.title()),
+        return mark_safe(
+            '<input type="submit" name="{name}" value="{value}" class="btn btn-primary" {disabled}>'.format(
+                disabled=disabled,
+                name=escape(name),
+                value=escape(name.title()),
+            )
         )
 
 
diff --git a/hypha/apply/users/tests/test_middleware.py b/hypha/apply/users/tests/test_middleware.py
@@ -41,5 +41,8 @@ def test_unverified_user_can_access_allowed_urls(self):
             if "success" in path:
                 submission = ApplicationSubmissionFactory()
                 path = str(path) + f"{submission.id}/"
-            response = self.client.get(path, follow=True)
+            if "logout" in path:
+                response = self.client.post(path, follow=True)
+            else:
+                response = self.client.get(path, follow=True)
             self.assertEqual(response.status_code, 200)
diff --git a/hypha/templates/includes/user_menu.html b/hypha/templates/includes/user_menu.html
@@ -86,13 +86,10 @@
                 </form>
             {% endif %}
             <hr />
-            <a
-                href="{% url 'users:logout' %}"
-                title="Log out"
-                class="block py-2 px-3 font-semibold text-center transition-all hover:font-semibold text-error border-x hover:bg-error/10 focus-visible:outline-dashed"
-            >
-                {% trans "Log out" %}
-            </a>
+            <form id="logout-form" method="post" action="{% url 'users:logout' %}">
+                {% csrf_token %}
+                <button class="block py-2 px-3 w-full font-semibold text-center transition-all cursor-pointer hover:font-semibold text-error border-x hover:bg-error/10 focus-visible:outline-dashed" title="Log out" type="submit">{% trans "Log out" %}</button>
+            </form>
         </div>
     </div>
 {% else %}
