From 0ad3bf4dfe46476c7ac9406bee60033aab79261b Mon Sep 17 00:00:00 2001
From: Emmanuel Cazenave <ecazenave@entrouvert.com>
Date: Tue, 18 Dec 2018 16:57:54 +0100
Subject: [PATCH] cancel user add: set correct location (#29181)

---
 src/authentic2/manager/user_views.py | 11 ++++++-----
 tests/test_manager.py                | 24 +++++++-----------------
 2 files changed, 13 insertions(+), 22 deletions(-)

diff --git a/src/authentic2/manager/user_views.py b/src/authentic2/manager/user_views.py
index 3d76da1cb..276b97e47 100644
--- a/src/authentic2/manager/user_views.py
+++ b/src/authentic2/manager/user_views.py
@@ -132,15 +132,16 @@ class UserAddView(BaseAddView):
         return fields
 
     def get_success_url(self):
-        return self.request.POST.get('next') or \
-                reverse('a2-manager-user-detail', kwargs={'pk': self.object.pk})
+        return select_next_url(
+            self.request,
+            default=reverse('a2-manager-user-detail', kwargs={'pk': self.object.pk}),
+            include_post=True)
 
     def get_context_data(self, **kwargs):
         context = super(UserAddView, self).get_context_data(**kwargs)
-        context['cancel_url'] = '../..'
+        context['cancel_url'] = select_next_url(self.request, default='../..', include_post=True)
+        context['next'] = select_next_url(self.request, default=None, include_post=True)
         context['ou'] = self.ou
-        if hasattr(self.request, 'GET') and 'next' in self.request.GET:
-            context['next'] = self.request.GET['next']
         return context
 
     def form_valid(self, form):
diff --git a/tests/test_manager.py b/tests/test_manager.py
index d874344b6..c6af5cf23 100644
--- a/tests/test_manager.py
+++ b/tests/test_manager.py
@@ -743,35 +743,25 @@ def test_return_on_logout(superuser, app):
 
 
 def test_manager_create_user_next(superuser_or_admin, app, ou1):
-    next_url = u'https://example.nowhere.null/'
+    next_url = u'/example.nowhere.null/'
     url = u'/manage/users/%s/add/?next=%s' % (ou1.pk, next_url)
     login(app, superuser_or_admin, '/manage/')
     response = app.get(url)
+
+    # cancel if not handled through form submission
+    assert response.pyquery.remove_namespaces()('a.cancel').attr('href') == next_url
+
     form = response.form
     form.set('first_name', 'John')
     form.set('last_name', 'Doe')
     form.set('email', 'john.doe@gmail.com')
     form.set('password1', 'ABcd1234')
     form.set('password2', 'ABcd1234')
-    assert form.submit().location == next_url
-
-
-def test_manager_create_user_next_form_cancelation(superuser_or_admin, app, ou1):
-    next_url = u'https://example.nowhere.null/'
-    url = u'/manage/users/%s/add/?next=%s' % (ou1.pk, next_url)
-    login(app, superuser_or_admin, '/manage/')
-    response = app.get(url)
-    form = response.form
-    form.set('first_name', 'John')
-    form.set('last_name', 'Doe')
-    form.set('email', 'john.doe@gmail.com')
-    form.set('password1', 'ABcd1234')
-    form.set('password2', 'ABcd1234')
-    assert form.submit('cancel').location == next_url
+    assert urlparse(form.submit().location).path == next_url
 
 
 def test_manager_create_user_next_form_error(superuser_or_admin, app, ou1):
-    next_url = u'https://example.nowhere.null/'
+    next_url = u'/example.nowhere.null/'
     url = u'/manage/users/%s/add/?next=%s' % (ou1.pk, next_url)
     login(app, superuser_or_admin, '/manage/')
     response = app.get(url)