Refs #15619 -- Removed support for logging out via GET requests.

Per deprecation timeline.

django/contrib/auth/views.py

@@ -1,4 +1,3 @@
-import warnings
 from urllib.parse import urlparse, urlunparse
 
 from django.conf import settings
@@ -22,7 +21,6 @@ from django.http import HttpResponseRedirect, QueryDict
 from django.shortcuts import resolve_url
 from django.urls import reverse_lazy
 from django.utils.decorators import method_decorator
-from django.utils.deprecation import RemovedInDjango50Warning
 from django.utils.http import url_has_allowed_host_and_scheme, urlsafe_base64_decode
 from django.utils.translation import gettext_lazy as _
 from django.views.decorators.cache import never_cache
@@ -128,25 +126,15 @@ class LogoutView(RedirectURLMixin, TemplateView):
     Log out the user and display the 'You are logged out' message.
     """
 
-    # RemovedInDjango50Warning: when the deprecation ends, remove "get" and
-    # "head" from http_method_names.
-    http_method_names = ["get", "head", "post", "options"]
+    http_method_names = ["post", "options"]
     template_name = "registration/logged_out.html"
     extra_context = None
 
-    # RemovedInDjango50Warning: when the deprecation ends, move
-    # @method_decorator(csrf_protect) from post() to dispatch().
+    @method_decorator(csrf_protect)
     @method_decorator(never_cache)
     def dispatch(self, request, *args, **kwargs):
-        if request.method.lower() == "get":
-            warnings.warn(
-                "Log out via GET requests is deprecated and will be removed in Django "
-                "5.0. Use POST requests for logging out.",
-                RemovedInDjango50Warning,
-            )
         return super().dispatch(request, *args, **kwargs)
 
-    @method_decorator(csrf_protect)
     def post(self, request, *args, **kwargs):
         """Logout may be done via POST."""
         auth_logout(request)
@@ -156,9 +144,6 @@ class LogoutView(RedirectURLMixin, TemplateView):
             return HttpResponseRedirect(redirect_to)
         return super().get(request, *args, **kwargs)
 
-    # RemovedInDjango50Warning.
-    get = post
-
     def get_default_redirect_url(self):
         """Return the default redirect URL."""
         if self.next_page:

docs/releases/5.0.txt

@@ -327,3 +327,7 @@ to remove usage of these features.
 
 * ``created=True`` is required in the signature of
   ``RemoteUserBackend.configure_user()`` subclasses.
+
+* Support for logging out via ``GET`` requests in the
+  ``django.contrib.auth.views.LogoutView`` and
+  ``django.contrib.auth.views.logout_then_login()`` is removed.

docs/topics/auth/default.txt

@@ -1158,11 +1158,6 @@ implementation details see :ref:`using-the-views`.
 
     Logs a user out on ``POST`` requests.
 
-    .. deprecated:: 4.1
-
-        Support for logging out on ``GET`` requests is deprecated and will be
-        removed in Django 5.0.
-
     **URL name:** ``logout``
 
     **Attributes:**

tests/auth_tests/test_views.py

@@ -30,10 +30,9 @@ from django.core.exceptions import ImproperlyConfigured
 from django.db import connection
 from django.http import HttpRequest, HttpResponse
 from django.middleware.csrf import CsrfViewMiddleware, get_token
-from django.test import Client, TestCase, ignore_warnings, override_settings
+from django.test import Client, TestCase, override_settings
 from django.test.client import RedirectCycleError
 from django.urls import NoReverseMatch, reverse, reverse_lazy
-from django.utils.deprecation import RemovedInDjango50Warning
 from django.utils.http import urlsafe_base64_encode
 
 from .client import PasswordResetConfirmClient
@@ -1020,7 +1019,6 @@ class LogoutThenLoginTests(AuthViewsTestCase):
         self.confirm_logged_out()
         self.assertRedirects(response, "/custom/", fetch_redirect_response=False)
 
-    @ignore_warnings(category=RemovedInDjango50Warning)
     @override_settings(LOGIN_URL="/login/")
     def test_default_logout_then_login_get(self):
         self.login()
@@ -1030,10 +1028,7 @@ class LogoutThenLoginTests(AuthViewsTestCase):
         req.META["SERVER_PORT"] = 80
         req.session = self.client.session
         response = logout_then_login(req)
-        # RemovedInDjango50Warning: When the deprecation ends, replace with
-        #   self.assertEqual(response.status_code, 405)
-        self.confirm_logged_out()
-        self.assertRedirects(response, "/login/", fetch_redirect_response=False)
+        self.assertEqual(response.status_code, 405)
 
 
 class LoginRedirectAuthenticatedUser(AuthViewsTestCase):
@@ -1187,17 +1182,6 @@ class LogoutTest(AuthViewsTestCase):
         self.assertContains(response, "Logged out")
         self.confirm_logged_out()
 
-    def test_logout_with_get_raises_deprecation_warning(self):
-        self.login()
-        msg = (
-            "Log out via GET requests is deprecated and will be removed in Django 5.0. "
-            "Use POST requests for logging out."
-        )
-        with self.assertWarnsMessage(RemovedInDjango50Warning, msg):
-            response = self.client.get("/logout/")
-        self.assertContains(response, "Logged out")
-        self.confirm_logged_out()
-
     def test_14377(self):
         # Bug 14377
         self.login()