From 22de220614124b30454d413d63b3dcc2b624c126 Mon Sep 17 00:00:00 2001
From: Julien Lancelot <julien.lancelot@sonarsource.com>
Date: Wed, 14 Oct 2015 16:41:20 +0200
Subject: [PATCH] SONAR-6880 Fix return_to

Because of the reset of the session, the return_to value was removed.
---
 .../WEB-INF/app/controllers/sessions_controller.rb       | 9 +++++++++
 1 file changed, 9 insertions(+)

diff --git a/server/sonar-web/src/main/webapp/WEB-INF/app/controllers/sessions_controller.rb b/server/sonar-web/src/main/webapp/WEB-INF/app/controllers/sessions_controller.rb
index 6822f16fddd..f844588a18b 100644
--- a/server/sonar-web/src/main/webapp/WEB-INF/app/controllers/sessions_controller.rb
+++ b/server/sonar-web/src/main/webapp/WEB-INF/app/controllers/sessions_controller.rb
@@ -27,9 +27,17 @@ class SessionsController < ApplicationController
   def login
     return unless request.post?
 
+    return_to = session[:return_to]
+
     # Needed to bypass session fixation vulnerability (https://jira.sonarsource.com/browse/SONAR-6880)
     reset_session
 
+    if return_to
+      # user clicked on the link "login" : redirect to the original uri after authentication
+      session[:return_to] = Api::Utils.absolute_to_relative_url(return_to)
+      # else the original uri can be set by ApplicationController#access_denied
+    end
+
     self.current_user = User.authenticate(params[:login], params[:password], servlet_request)
     if logged_in?
       if params[:remember_me] == '1'
@@ -54,6 +62,7 @@ class SessionsController < ApplicationController
   end
 
   def new
+    params[:return_to]
     if params[:return_to]
       # user clicked on the link "login" : redirect to the original uri after authentication
       session[:return_to] = Api::Utils.absolute_to_relative_url(params[:return_to])
-- 
2.39.5