jenkins-bot merged this change.

View Change

[bugfix] add CSRF token in sitelogout() api call

- Add missing CSRF token since {T25227: Use token when logging out}
is closed upstream, and tests that correspond to.
- site._relogin() was calling site.login() with self._loginstatus, but
this last one is an integer and login() excepts a bool. When login fails
(_relogin() usage), _loginstatus equals to -1 that is interpreted as
True, resulting in the usage of systop account even when it's not wanted.
- Using site.getuserinfo(force=True) at the end of logout() results of an
automatic re-login, since it is detected that the user has logged out
during that API call. So removing _userinfo attribute cleans the previous
login state.

Bug: T222508
Change-Id: Ia94254b0bfe95c4c13ca71211128f7a0b0fe78d6
---
M pywikibot/site.py
M tests/site_tests.py
2 files changed, 31 insertions(+), 4 deletions(-)

diff --git a/pywikibot/site.py b/pywikibot/site.py
index 6729954..9ea655c 100644
--- a/pywikibot/site.py
+++ b/pywikibot/site.py
@@ -2118,9 +2118,8 @@
         from the site.
         """
         del self._userinfo
-        old_status = self._loginstatus
         self._loginstatus = LoginStatus.NOT_LOGGED_IN
-        self.login(old_status)
+        self.login()
 
     def logout(self):
         """
@@ -2133,10 +2132,11 @@
         """
         if self.is_oauth_token_available():
             pywikibot.warning('Using OAuth suppresses logout function')
-        uirequest = self._simple_request(action='logout')
+        uirequest = self._simple_request(action='logout',
+                                         token=self.tokens['csrf'])
         uirequest.submit()
         self._loginstatus = LoginStatus.NOT_LOGGED_IN
-        self.getuserinfo(force=True)
+        del self._userinfo
 
     def getuserinfo(self, force=False):
         """Retrieve userinfo from site and store in _userinfo attribute.
diff --git a/tests/site_tests.py b/tests/site_tests.py
index 705d194..d157f48 100644
--- a/tests/site_tests.py
+++ b/tests/site_tests.py
@@ -3703,6 +3703,33 @@
         self.assertIsNone(page)
 
 
+class TestLoginLogout(DefaultSiteTestCase):
+
+    """Test for login and logout methods."""
+
+    def test_login_logout(self):
+        """Validate login and logout methods by toggling the state."""
+        site = self.get_site()
+        loginstatus = pywikibot.site.LoginStatus
+
+        self.assertFalse(site.logged_in())
+
+        site.login()
+        self.assertTrue(site.logged_in())
+        self.assertGreaterEqual(site._loginstatus, loginstatus.AS_USER)
+        self.assertIn('_userinfo', site.__dict__.keys())
+
+        self.assertIsNone(site.login())
+
+        site.logout()
+        self.assertFalse(site.logged_in())
+        self.assertEqual(site._loginstatus, loginstatus.NOT_LOGGED_IN)
+        self.assertNotIn('_userinfo', site.__dict__.keys())
+
+        self.assertRaisesRegexp(AssertionError,
+                                'User must login in this site', site.logout)
+
+
 if __name__ == '__main__':  # pragma: no cover
     try:
         unittest.main()

To view, visit change 508072. To unsubscribe, or for help writing mail filters, visit settings.