# along with this program; if not, write to the Free Software
# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA.
+require 'uri'
+
class ApplicationController < ActionController::Base
before_filter :user_setup, :check_if_login_required, :set_localization
filter_parameter_logging :password
def require_login
if !User.current.logged?
- store_location
- redirect_to :controller => "account", :action => "login"
+ redirect_to :controller => "account", :action => "login", :back_url => request.request_uri
return false
end
true
end
end
- # store current uri in session.
- # return to this location by calling redirect_back_or_default
- def store_location
- session[:return_to_params] = params
- end
-
- # move to the last store_location call or to the passed default one
def redirect_back_or_default(default)
- if session[:return_to_params].nil?
- redirect_to default
- else
- redirect_to session[:return_to_params]
- session[:return_to_params] = nil
+ back_url = params[:back_url]
+ if !back_url.blank?
+ uri = URI.parse(back_url)
+ # do not redirect user to another host
+ if uri.relative? || (uri.host == request.host)
+ redirect_to(back_url) and return
+ end
end
+ redirect_to default
end
def render_403
end
def back_url_hidden_field_tag
- hidden_field_tag 'back_url', (params[:back_url] || request.env['HTTP_REFERER'])
+ back_url = params[:back_url] || request.env['HTTP_REFERER']
+ hidden_field_tag('back_url', back_url) unless back_url.blank?
end
def check_all_links(form_name)
assert_nil assigns(:user)
end
+ def test_login_should_redirect_to_back_url_param
+ # request.uri is "test.host" in test environment
+ post :login, :username => 'jsmith', :password => 'jsmith', :back_url => 'http://test.host/issues/show/1'
+ assert_redirected_to '/issues/show/1'
+ end
+
+ def test_login_should_not_redirect_to_another_host
+ post :login, :username => 'jsmith', :password => 'jsmith', :back_url => 'http://test.foo/fake'
+ assert_redirected_to '/my/page'
+ end
+
def test_login_with_wrong_password
post :login, :username => 'admin', :password => 'bad'
assert_response :success