From 7185965d97a2d7d98f5feda6cc10fb5d87fcf816 Mon Sep 17 00:00:00 2001 From: erdgeist Date: Tue, 14 Jul 2026 01:32:30 +0200 Subject: Store return_to before resetting session in loging. Fixes returning to an admin page before logging in --- app/controllers/sessions_controller.rb | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) (limited to 'app/controllers/sessions_controller.rb') diff --git a/app/controllers/sessions_controller.rb b/app/controllers/sessions_controller.rb index e115b35..64bf951 100644 --- a/app/controllers/sessions_controller.rb +++ b/app/controllers/sessions_controller.rb @@ -13,13 +13,15 @@ class SessionsController < ApplicationController logout_keeping_session! user = User.authenticate(params[:login], params[:password]) if user + return_to = session[:return_to] + # Protects against session fixation attacks, causes request forgery # protection if user resubmits an earlier form using back # button. Uncomment if you understand the tradeoffs. reset_session self.current_user = user - redirect_back_or_default('/de/admin') # TODO: insert appropriate path to cms main page + redirect_to safe_return_to(return_to, :default => admin_path) flash[:notice] = "Logged in successfully" else note_failed_signin -- cgit v1.3