Fix login redirect if referrer is not internal to site.

2015-03-05 16:55:09 -06:00 · 2015-03-05 16:55:09 -06:00 · a7ecf445db
commit a7ecf445db
parent d296b5bde5
2 changed files with 4 additions and 10 deletions
--- a/tailbone/subscribers.py
+++ b/tailbone/subscribers.py
@ -117,11 +117,9 @@ def context_found(event):
        if request.session.get('referrer'):
            return request.session.pop('referrer')
        referrer = request.referrer
-        if not referrer or referrer == request.current_route_url():
-            if default:
-                referrer = default
-            else:
-                referrer = request.route_url('home')
+        if (not referrer or referrer == request.current_route_url()
+            or not referrer.startswith(request.host_url)):
+            referrer = default or request.route_url('home')
        return referrer
    request.get_referrer = get_referrer

--- a/tailbone/views/auth.py
+++ b/tailbone/views/auth.py
@ -56,11 +56,7 @@ def forbidden(request):
        # Store current URL in session, for smarter redirect after login.
        request.session['next_url'] = request.current_route_url()
    request.session.flash(msg, allow_duplicate=False)
-
-    url = request.referer
-    if not url or url == request.current_route_url():
-        url = request.route_url('home')
-    return HTTPFound(location=url)
+    return HTTPFound(location=request.get_referrer())


 class UserLogin(formencode.Schema):