SONAR-7760 Return to feature should not use HTTP session

author Julien Lancelot <julien.lancelot@sonarsource.com>

Tue, 6 Sep 2016 12:05:28 +0000 (14:05 +0200)

committer Julien Lancelot <julien.lancelot@sonarsource.com>

Fri, 9 Sep 2016 08:10:51 +0000 (10:10 +0200)
author Julien Lancelot <julien.lancelot@sonarsource.com>
Tue, 6 Sep 2016 12:05:28 +0000 (14:05 +0200)
committer Julien Lancelot <julien.lancelot@sonarsource.com>
Fri, 9 Sep 2016 08:10:51 +0000 (10:10 +0200)
diff --git a/server/sonar-web/src/main/webapp/WEB-INF/app/controllers/sessions_controller.rb b/server/sonar-web/src/main/webapp/WEB-INF/app/controllers/sessions_controller.rb

index f688c3551db36995c8f0586244619e79415ce86d..74e3fb540ab100c3d6dcc2b2a934af1885491e30 100644 (file)
--- a/server/sonar-web/src/main/webapp/WEB-INF/app/controllers/sessions_controller.rb
+++ b/server/sonar-web/src/main/webapp/WEB-INF/app/controllers/sessions_controller.rb
@@ -38,13 +38,13 @@ class SessionsController < ApplicationController
    end
  
    def new
+    default = home_url
      if params[:return_to]
        # user clicked on the link "login" : redirect to the original uri after authentication
-      session[:return_to] = Api::Utils.absolute_to_relative_url(params[:return_to])
-      return_to = Api::Utils.absolute_to_relative_url(params[:return_to])
+      default = Api::Utils.absolute_to_relative_url(params[:return_to])
      # else the original uri can be set by ApplicationController#access_denied
      end
-    @return_to = get_redirect_back_or_default(home_url)
+    @return_to = get_redirect_back_or_default(default)
    end
  
    private
@@ -52,7 +52,7 @@ class SessionsController < ApplicationController
    # Get redirection to the URI stored by the most recent store_location call or to the passed default.
    def get_redirect_back_or_default(default)
      # Prevent CSRF attack -> do not accept absolute urls
-    url = session[:return_to] || default
+    url = get_cookie_flash('return_to') || default
      begin
        url = URI(url).request_uri
      rescue
diff --git a/server/sonar-web/src/main/webapp/WEB-INF/app/views/users/new.html.erb b/server/sonar-web/src/main/webapp/WEB-INF/app/views/users/new.html.erb

index a3f749a10ca522bf631bc3862543456dcdde5eaa..e779a8d23df3f304f12c3cfc0f922a4b568ca937 100644 (file)
--- a/server/sonar-web/src/main/webapp/WEB-INF/app/views/users/new.html.erb
+++ b/server/sonar-web/src/main/webapp/WEB-INF/app/views/users/new.html.erb
@@ -1,5 +1,4 @@
  <form action="<%= url_for :controller => 'users', :action => 'signup' -%>" method="post">
-  <input type="hidden" name="return_to_anchor" value="">
  
    <h1 class="maintenance-title text-center">Sign Up to SonarQube</h1>
  
diff --git a/server/sonar-web/src/main/webapp/WEB-INF/lib/authenticated_system.rb b/server/sonar-web/src/main/webapp/WEB-INF/lib/authenticated_system.rb

index f60edd6088bdd6855426229e1337e70aedfbcff9..32657c2f4e95a38b066a7d092401d8570fd4788b 100644 (file)
--- a/server/sonar-web/src/main/webapp/WEB-INF/lib/authenticated_system.rb
+++ b/server/sonar-web/src/main/webapp/WEB-INF/lib/authenticated_system.rb
@@ -95,7 +95,7 @@ module AuthenticatedSystem
    #
    # We can return to this location by calling #redirect_back_or_default.
    def store_location
-    session[:return_to] = request.request_uri
+    flash[:return_to] = request.request_uri
    end
  
    # Redirect to the URI stored by the most recent store_location call or
@@ -104,7 +104,7 @@ module AuthenticatedSystem
    # for any controller you want to be bounce-backable.
    def redirect_back_or_default(default)
      # Prevent CSRF attack -> do not accept absolute urls
-    url = session[:return_to] || default
+    url = get_cookie_flash('return_to') || default
      begin
        url = URI(url).request_uri
      rescue
@@ -113,7 +113,6 @@ module AuthenticatedSystem
      anchor=params[:return_to_anchor]
      url += anchor if anchor && anchor.start_with?('#')
      redirect_to(url)
-    session[:return_to] = nil
    end
  
    # Inclusion hook to make #current_user and #logged_in?
diff --git a/server/sonar-web/src/main/webapp/WEB-INF/lib/cookie_flash.rb b/server/sonar-web/src/main/webapp/WEB-INF/lib/cookie_flash.rb

index 1a0c92899817d3928d47e6fdcdea5f682e1b6d1b..c7021b69cf2fe1110e2363cbfea82fdc2553ba45 100644 (file)
--- a/server/sonar-web/src/main/webapp/WEB-INF/lib/cookie_flash.rb
+++ b/server/sonar-web/src/main/webapp/WEB-INF/lib/cookie_flash.rb
@@ -24,6 +24,11 @@ module CookieFlash
      end
    end
  
+  def get_cookie_flash(key)
+    cflash = (JSON.parse(cookies['flash']) if cookies['flash']) || {} rescue {}
+    cflash[key]
+  end
+
    # @parameters
    #   cookies -
    #     There might be crusty flash from a previous request, or set elsewhere, already in the cookie.
author	Julien Lancelot <julien.lancelot@sonarsource.com>
	Tue, 6 Sep 2016 12:05:28 +0000 (14:05 +0200)
committer	Julien Lancelot <julien.lancelot@sonarsource.com>
	Fri, 9 Sep 2016 08:10:51 +0000 (10:10 +0200)
server/sonar-web/src/main/webapp/WEB-INF/app/controllers/sessions_controller.rb		patch \| blob \| history
server/sonar-web/src/main/webapp/WEB-INF/app/views/users/new.html.erb		patch \| blob \| history
server/sonar-web/src/main/webapp/WEB-INF/lib/authenticated_system.rb		patch \| blob \| history
server/sonar-web/src/main/webapp/WEB-INF/lib/cookie_flash.rb		patch \| blob \| history