Restrict post-login redirection targets to local URLs
This commit is contained in:
Kevin Xiwei Zheng
@@ -7,7 +7,8 @@ class SessionsController < ApplicationController
|
|||||||
session_creator = SessionCreator.new(session, cookies, params[:name], params[:password], params[:remember])
|
session_creator = SessionCreator.new(session, cookies, params[:name], params[:password], params[:remember])
|
||||||
|
|
||||||
if session_creator.authenticate
|
if session_creator.authenticate
|
||||||
redirect_to(params[:url] || session[:previous_uri] || posts_path, :notice => "You are now logged in.")
|
url = params[:url] if params[:url].start_with? '/'
|
||||||
|
redirect_to(url || session[:previous_uri] || posts_path, :notice => "You are now logged in.")
|
||||||
else
|
else
|
||||||
redirect_to(new_session_path, :notice => "Password was incorrect.")
|
redirect_to(new_session_path, :notice => "Password was incorrect.")
|
||||||
end
|
end
|
||||||
|
|||||||
Reference in New Issue
Block a user