From 7185965d97a2d7d98f5feda6cc10fb5d87fcf816 Mon Sep 17 00:00:00 2001 From: erdgeist Date: Tue, 14 Jul 2026 01:32:30 +0200 Subject: Store return_to before resetting session in loging. Fixes returning to an admin page before logging in --- app/controllers/application_controller.rb | 10 +++++----- app/controllers/sessions_controller.rb | 4 +++- 2 files changed, 8 insertions(+), 6 deletions(-) diff --git a/app/controllers/application_controller.rb b/app/controllers/application_controller.rb index cbeb40d..d8de975 100644 --- a/app/controllers/application_controller.rb +++ b/app/controllers/application_controller.rb @@ -21,13 +21,13 @@ class ApplicationController < ActionController::Base { locale: I18n.locale == I18n.default_locale ? nil : I18n.locale } end - def safe_return_to(url) - return events_path if url.blank? + def safe_return_to(url, default: events_path) + return default if url.blank? uri = URI.parse(url) - return events_path if uri.host.present? - return events_path unless url.start_with?('/') + return default if uri.host.present? + return default unless url.start_with?('/') url rescue URI::InvalidURIError - events_path + default end end diff --git a/app/controllers/sessions_controller.rb b/app/controllers/sessions_controller.rb index e115b35..64bf951 100644 --- a/app/controllers/sessions_controller.rb +++ b/app/controllers/sessions_controller.rb @@ -13,13 +13,15 @@ class SessionsController < ApplicationController logout_keeping_session! user = User.authenticate(params[:login], params[:password]) if user + return_to = session[:return_to] + # Protects against session fixation attacks, causes request forgery # protection if user resubmits an earlier form using back # button. Uncomment if you understand the tradeoffs. reset_session self.current_user = user - redirect_back_or_default('/de/admin') # TODO: insert appropriate path to cms main page + redirect_to safe_return_to(return_to, :default => admin_path) flash[:notice] = "Logged in successfully" else note_failed_signin -- cgit v1.3