summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
-rw-r--r--app/controllers/application_controller.rb10
-rw-r--r--app/controllers/sessions_controller.rb4
2 files changed, 8 insertions, 6 deletions
diff --git a/app/controllers/application_controller.rb b/app/controllers/application_controller.rb
index cbeb40d..d8de975 100644
--- a/app/controllers/application_controller.rb
+++ b/app/controllers/application_controller.rb
@@ -21,13 +21,13 @@ class ApplicationController < ActionController::Base
21 { locale: I18n.locale == I18n.default_locale ? nil : I18n.locale } 21 { locale: I18n.locale == I18n.default_locale ? nil : I18n.locale }
22 end 22 end
23 23
24 def safe_return_to(url) 24 def safe_return_to(url, default: events_path)
25 return events_path if url.blank? 25 return default if url.blank?
26 uri = URI.parse(url) 26 uri = URI.parse(url)
27 return events_path if uri.host.present? 27 return default if uri.host.present?
28 return events_path unless url.start_with?('/') 28 return default unless url.start_with?('/')
29 url 29 url
30 rescue URI::InvalidURIError 30 rescue URI::InvalidURIError
31 events_path 31 default
32 end 32 end
33end 33end
diff --git a/app/controllers/sessions_controller.rb b/app/controllers/sessions_controller.rb
index e115b35..64bf951 100644
--- a/app/controllers/sessions_controller.rb
+++ b/app/controllers/sessions_controller.rb
@@ -13,13 +13,15 @@ class SessionsController < ApplicationController
13 logout_keeping_session! 13 logout_keeping_session!
14 user = User.authenticate(params[:login], params[:password]) 14 user = User.authenticate(params[:login], params[:password])
15 if user 15 if user
16 return_to = session[:return_to]
17
16 # Protects against session fixation attacks, causes request forgery 18 # Protects against session fixation attacks, causes request forgery
17 # protection if user resubmits an earlier form using back 19 # protection if user resubmits an earlier form using back
18 # button. Uncomment if you understand the tradeoffs. 20 # button. Uncomment if you understand the tradeoffs.
19 reset_session 21 reset_session
20 22
21 self.current_user = user 23 self.current_user = user
22 redirect_back_or_default('/de/admin') # TODO: insert appropriate path to cms main page 24 redirect_to safe_return_to(return_to, :default => admin_path)
23 flash[:notice] = "Logged in successfully" 25 flash[:notice] = "Logged in successfully"
24 else 26 else
25 note_failed_signin 27 note_failed_signin