diff options
| -rw-r--r-- | app/controllers/application.rb | 25 | ||||
| -rw-r--r-- | app/helpers/application_helper.rb | 3 | ||||
| -rw-r--r-- | app/views/account/login.rhtml | 1 | ||||
| -rw-r--r-- | test/functional/account_controller_test.rb | 11 |
4 files changed, 25 insertions, 15 deletions
diff --git a/app/controllers/application.rb b/app/controllers/application.rb index 2daee50de..debe02162 100644 --- a/app/controllers/application.rb +++ b/app/controllers/application.rb @@ -15,6 +15,8 @@ # along with this program; if not, write to the Free Software # Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA. +require 'uri' + class ApplicationController < ActionController::Base before_filter :user_setup, :check_if_login_required, :set_localization filter_parameter_logging :password @@ -77,8 +79,7 @@ class ApplicationController < ActionController::Base def require_login if !User.current.logged? - store_location - redirect_to :controller => "account", :action => "login" + redirect_to :controller => "account", :action => "login", :back_url => request.request_uri return false end true @@ -115,20 +116,16 @@ class ApplicationController < ActionController::Base end end - # store current uri in session. - # return to this location by calling redirect_back_or_default - def store_location - session[:return_to_params] = params - end - - # move to the last store_location call or to the passed default one def redirect_back_or_default(default) - if session[:return_to_params].nil? - redirect_to default - else - redirect_to session[:return_to_params] - session[:return_to_params] = nil + back_url = params[:back_url] + if !back_url.blank? + uri = URI.parse(back_url) + # do not redirect user to another host + if uri.relative? || (uri.host == request.host) + redirect_to(back_url) and return + end end + redirect_to default end def render_403 diff --git a/app/helpers/application_helper.rb b/app/helpers/application_helper.rb index 6e39d093f..7bcec461e 100644 --- a/app/helpers/application_helper.rb +++ b/app/helpers/application_helper.rb @@ -451,7 +451,8 @@ module ApplicationHelper end def back_url_hidden_field_tag - hidden_field_tag 'back_url', (params[:back_url] || request.env['HTTP_REFERER']) + back_url = params[:back_url] || request.env['HTTP_REFERER'] + hidden_field_tag('back_url', back_url) unless back_url.blank? end def check_all_links(form_name) diff --git a/app/views/account/login.rhtml b/app/views/account/login.rhtml index ea1a1cd44..d8c1f313f 100644 --- a/app/views/account/login.rhtml +++ b/app/views/account/login.rhtml @@ -1,5 +1,6 @@ <div id="login-form"> <% form_tag({:action=> "login"}) do %> +<%= back_url_hidden_field_tag %> <table> <tr> <td align="right"><label for="username"><%=l(:field_login)%>:</label></td> diff --git a/test/functional/account_controller_test.rb b/test/functional/account_controller_test.rb index 666acf0dd..26218d177 100644 --- a/test/functional/account_controller_test.rb +++ b/test/functional/account_controller_test.rb @@ -44,6 +44,17 @@ class AccountControllerTest < Test::Unit::TestCase assert_nil assigns(:user) end + def test_login_should_redirect_to_back_url_param + # request.uri is "test.host" in test environment + post :login, :username => 'jsmith', :password => 'jsmith', :back_url => 'http://test.host/issues/show/1' + assert_redirected_to '/issues/show/1' + end + + def test_login_should_not_redirect_to_another_host + post :login, :username => 'jsmith', :password => 'jsmith', :back_url => 'http://test.foo/fake' + assert_redirected_to '/my/page' + end + def test_login_with_wrong_password post :login, :username => 'admin', :password => 'bad' assert_response :success |