From 1bae24691f1e9f87daa32b09827c2e3a6af075c3 Mon Sep 17 00:00:00 2001
From: Simon Willison <swillison@gmail.com>
Date: Wed, 1 Jul 2020 14:25:59 -0700
Subject: [PATCH] Only show 'log out' if ds_cookie present, closes #884

---
 datasette/app.py              | 1 +
 datasette/templates/base.html | 4 ++--
 tests/test_auth.py            | 8 ++++++++
 3 files changed, 11 insertions(+), 2 deletions(-)

diff --git a/datasette/app.py b/datasette/app.py
index 1473cce8..dd443af9 100644
--- a/datasette/app.py
+++ b/datasette/app.py
@@ -739,6 +739,7 @@ class Datasette:
             **{
                 "actor": request.actor if request else None,
                 "display_actor": display_actor,
+                "show_logout": "ds_actor" in request.cookies,
                 "app_css_hash": self.app_css_hash(),
                 "zip": zip,
                 "body_scripts": body_scripts,
diff --git a/datasette/templates/base.html b/datasette/templates/base.html
index e739d804..fd4cf504 100644
--- a/datasette/templates/base.html
+++ b/datasette/templates/base.html
@@ -17,11 +17,11 @@
 <nav class="hd">{% block nav %}
     {% if actor %}
     <div class="logout">
-        <strong>{{ display_actor(actor) }}</strong> &middot;
+        <strong>{{ display_actor(actor) }}</strong>{% if show_logout %} &middot;
         <form action="/-/logout" method="post">
             <input type="hidden" name="csrftoken" value="{{ csrftoken() }}">
             <button class="button-as-link">Log out</button>
-        </form>
+        </form>{% endif %}
     </div>
     {% endif %}
 {% endblock %}</nav>
diff --git a/tests/test_auth.py b/tests/test_auth.py
index 1d8148f9..d14af873 100644
--- a/tests/test_auth.py
+++ b/tests/test_auth.py
@@ -92,3 +92,11 @@ def test_logout_button_in_navigation(app_client, path):
     ):
         assert fragment in response.text
         assert fragment not in anon_response.text
+
+
+@pytest.mark.parametrize("path", ["/", "/fixtures", "/fixtures/facetable"])
+def test_no_logout_button_in_navigation_if_no_ds_actor_cookie(app_client, path):
+    response = app_client.get(path + "?_bot=1")
+    assert "<strong>bot</strong>" in response.text
+    assert "<strong>bot</strong> &middot;" not in response.text
+    assert '<form action="/-/logout" method="post">' not in response.text