refs #9 - fix for usability problem.
Fix for this problem: https://github.com/ninech/redmine_cas/pull/13#issuecomment-53697288
This commit is contained in:
parent
bd22c5b3ff
commit
38d025cc2b
|
@ -48,7 +48,24 @@ module RedmineCAS
|
|||
else
|
||||
self.logged_user = user
|
||||
end
|
||||
redirect_to url_for(params.merge(:ticket => nil))
|
||||
|
||||
# If a parameter :ref exists, redirect to :ref. This is a workaround for the
|
||||
# usability problem I introduced trying to fix issue #9.
|
||||
# https://github.com/ninech/redmine_cas/pull/13#issuecomment-53697288
|
||||
|
||||
if params.has_key?(:ref)
|
||||
# do some basic validation on ref, to prevent a malicious link to redirect
|
||||
# to another site.
|
||||
new_url = params[:ref]
|
||||
if /http(s)?:\/\/|@/ =~ new_url
|
||||
# evil referrer!
|
||||
redirect_to url_for(params.merge(:ticket => nil))
|
||||
else
|
||||
redirect_to request.base_url + params[:ref]
|
||||
end
|
||||
else
|
||||
redirect_to url_for(params.merge(:ticket => nil))
|
||||
end
|
||||
else
|
||||
# CASClient called redirect_to
|
||||
end
|
||||
|
|
|
@ -14,9 +14,12 @@ module RedmineCAS
|
|||
def require_login_with_cas
|
||||
return require_login_without_cas unless RedmineCAS.enabled?
|
||||
if !User.current.logged?
|
||||
referrer = request.fullpath;
|
||||
respond_to do |format|
|
||||
format.html { redirect_to :controller => 'account', :action => 'cas' }
|
||||
format.atom { redirect_to :controller => 'account', :action => 'cas' }
|
||||
# pass referer to cas action, to work around this problem:
|
||||
# https://github.com/ninech/redmine_cas/pull/13#issuecomment-53697288
|
||||
format.html { redirect_to :controller => 'account', :action => 'cas', :ref => referrer }
|
||||
format.atom { redirect_to :controller => 'account', :action => 'cas', :ref => referrer }
|
||||
format.xml { head :unauthorized, 'WWW-Authenticate' => 'Basic realm="Redmine API"' }
|
||||
format.js { head :unauthorized, 'WWW-Authenticate' => 'Basic realm="Redmine API"' }
|
||||
format.json { head :unauthorized, 'WWW-Authenticate' => 'Basic realm="Redmine API"' }
|
||||
|
|
Reference in New Issue