diff options
| author | erdgeist <erdgeist@erdgeist.org> | 2026-07-14 01:32:30 +0200 |
|---|---|---|
| committer | erdgeist <erdgeist@erdgeist.org> | 2026-07-14 01:32:30 +0200 |
| commit | 7185965d97a2d7d98f5feda6cc10fb5d87fcf816 (patch) | |
| tree | 0605a4b72c55224c4545d9ce8cfbdb101c619495 | |
| parent | a18a170f791769691fe905cfe76d103b7a345e87 (diff) | |
Store return_to before resetting session in loging. Fixes returning to an admin page before logging in
| -rw-r--r-- | app/controllers/application_controller.rb | 10 | ||||
| -rw-r--r-- | app/controllers/sessions_controller.rb | 4 |
2 files changed, 8 insertions, 6 deletions
diff --git a/app/controllers/application_controller.rb b/app/controllers/application_controller.rb index cbeb40d..d8de975 100644 --- a/app/controllers/application_controller.rb +++ b/app/controllers/application_controller.rb | |||
| @@ -21,13 +21,13 @@ class ApplicationController < ActionController::Base | |||
| 21 | { locale: I18n.locale == I18n.default_locale ? nil : I18n.locale } | 21 | { locale: I18n.locale == I18n.default_locale ? nil : I18n.locale } |
| 22 | end | 22 | end |
| 23 | 23 | ||
| 24 | def safe_return_to(url) | 24 | def safe_return_to(url, default: events_path) |
| 25 | return events_path if url.blank? | 25 | return default if url.blank? |
| 26 | uri = URI.parse(url) | 26 | uri = URI.parse(url) |
| 27 | return events_path if uri.host.present? | 27 | return default if uri.host.present? |
| 28 | return events_path unless url.start_with?('/') | 28 | return default unless url.start_with?('/') |
| 29 | url | 29 | url |
| 30 | rescue URI::InvalidURIError | 30 | rescue URI::InvalidURIError |
| 31 | events_path | 31 | default |
| 32 | end | 32 | end |
| 33 | end | 33 | end |
diff --git a/app/controllers/sessions_controller.rb b/app/controllers/sessions_controller.rb index e115b35..64bf951 100644 --- a/app/controllers/sessions_controller.rb +++ b/app/controllers/sessions_controller.rb | |||
| @@ -13,13 +13,15 @@ class SessionsController < ApplicationController | |||
| 13 | logout_keeping_session! | 13 | logout_keeping_session! |
| 14 | user = User.authenticate(params[:login], params[:password]) | 14 | user = User.authenticate(params[:login], params[:password]) |
| 15 | if user | 15 | if user |
| 16 | return_to = session[:return_to] | ||
| 17 | |||
| 16 | # Protects against session fixation attacks, causes request forgery | 18 | # Protects against session fixation attacks, causes request forgery |
| 17 | # protection if user resubmits an earlier form using back | 19 | # protection if user resubmits an earlier form using back |
| 18 | # button. Uncomment if you understand the tradeoffs. | 20 | # button. Uncomment if you understand the tradeoffs. |
| 19 | reset_session | 21 | reset_session |
| 20 | 22 | ||
| 21 | self.current_user = user | 23 | self.current_user = user |
| 22 | redirect_back_or_default('/de/admin') # TODO: insert appropriate path to cms main page | 24 | redirect_to safe_return_to(return_to, :default => admin_path) |
| 23 | flash[:notice] = "Logged in successfully" | 25 | flash[:notice] = "Logged in successfully" |
| 24 | else | 26 | else |
| 25 | note_failed_signin | 27 | note_failed_signin |
