From 5eacd75339675ff88d1dbe55a42d7b2d2dd3c7cd Mon Sep 17 00:00:00 2001 From: Julien Lancelot Date: Tue, 6 Sep 2016 14:05:28 +0200 Subject: [PATCH] SONAR-7760 Return to feature should not use HTTP session --- .../webapp/WEB-INF/app/controllers/sessions_controller.rb | 8 ++++---- .../src/main/webapp/WEB-INF/app/views/users/new.html.erb | 1 - .../src/main/webapp/WEB-INF/lib/authenticated_system.rb | 5 ++--- .../sonar-web/src/main/webapp/WEB-INF/lib/cookie_flash.rb | 5 +++++ 4 files changed, 11 insertions(+), 8 deletions(-) diff --git a/server/sonar-web/src/main/webapp/WEB-INF/app/controllers/sessions_controller.rb b/server/sonar-web/src/main/webapp/WEB-INF/app/controllers/sessions_controller.rb index f688c3551db..74e3fb540ab 100644 --- a/server/sonar-web/src/main/webapp/WEB-INF/app/controllers/sessions_controller.rb +++ b/server/sonar-web/src/main/webapp/WEB-INF/app/controllers/sessions_controller.rb @@ -38,13 +38,13 @@ class SessionsController < ApplicationController end def new + default = home_url if params[:return_to] # user clicked on the link "login" : redirect to the original uri after authentication - session[:return_to] = Api::Utils.absolute_to_relative_url(params[:return_to]) - return_to = Api::Utils.absolute_to_relative_url(params[:return_to]) + default = Api::Utils.absolute_to_relative_url(params[:return_to]) # else the original uri can be set by ApplicationController#access_denied end - @return_to = get_redirect_back_or_default(home_url) + @return_to = get_redirect_back_or_default(default) end private @@ -52,7 +52,7 @@ class SessionsController < ApplicationController # Get redirection to the URI stored by the most recent store_location call or to the passed default. def get_redirect_back_or_default(default) # Prevent CSRF attack -> do not accept absolute urls - url = session[:return_to] || default + url = get_cookie_flash('return_to') || default begin url = URI(url).request_uri rescue diff --git a/server/sonar-web/src/main/webapp/WEB-INF/app/views/users/new.html.erb b/server/sonar-web/src/main/webapp/WEB-INF/app/views/users/new.html.erb index a3f749a10ca..e779a8d23df 100644 --- a/server/sonar-web/src/main/webapp/WEB-INF/app/views/users/new.html.erb +++ b/server/sonar-web/src/main/webapp/WEB-INF/app/views/users/new.html.erb @@ -1,5 +1,4 @@
-

Sign Up to SonarQube

diff --git a/server/sonar-web/src/main/webapp/WEB-INF/lib/authenticated_system.rb b/server/sonar-web/src/main/webapp/WEB-INF/lib/authenticated_system.rb index f60edd6088b..32657c2f4e9 100644 --- a/server/sonar-web/src/main/webapp/WEB-INF/lib/authenticated_system.rb +++ b/server/sonar-web/src/main/webapp/WEB-INF/lib/authenticated_system.rb @@ -95,7 +95,7 @@ module AuthenticatedSystem # # We can return to this location by calling #redirect_back_or_default. def store_location - session[:return_to] = request.request_uri + flash[:return_to] = request.request_uri end # Redirect to the URI stored by the most recent store_location call or @@ -104,7 +104,7 @@ module AuthenticatedSystem # for any controller you want to be bounce-backable. def redirect_back_or_default(default) # Prevent CSRF attack -> do not accept absolute urls - url = session[:return_to] || default + url = get_cookie_flash('return_to') || default begin url = URI(url).request_uri rescue @@ -113,7 +113,6 @@ module AuthenticatedSystem anchor=params[:return_to_anchor] url += anchor if anchor && anchor.start_with?('#') redirect_to(url) - session[:return_to] = nil end # Inclusion hook to make #current_user and #logged_in? diff --git a/server/sonar-web/src/main/webapp/WEB-INF/lib/cookie_flash.rb b/server/sonar-web/src/main/webapp/WEB-INF/lib/cookie_flash.rb index 1a0c9289981..c7021b69cf2 100644 --- a/server/sonar-web/src/main/webapp/WEB-INF/lib/cookie_flash.rb +++ b/server/sonar-web/src/main/webapp/WEB-INF/lib/cookie_flash.rb @@ -24,6 +24,11 @@ module CookieFlash end end + def get_cookie_flash(key) + cflash = (JSON.parse(cookies['flash']) if cookies['flash']) || {} rescue {} + cflash[key] + end + # @parameters # cookies - # There might be crusty flash from a previous request, or set elsewhere, already in the cookie. -- 2.39.5