Fix after-login redirects to "Check Details" and other pages.

2018-11-28 22:06:12 +02:00 · 2018-11-28 22:06:12 +02:00 · 5aba9d6196
commit 5aba9d6196
parent b081631e90
3 changed files with 30 additions and 8 deletions
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@ -8,7 +8,7 @@ All notable changes to this project will be documented in this file.


 ### Bug Fixes
- Fix after-login redirects for users landing in the "Add Slack" page
+- Fix after-login redirects (the "?next=" query parameter)


 ## 1.3.0 - 2018-11-21
--- a/hc/accounts/tests/test_login.py
+++ b/hc/accounts/tests/test_login.py
@ -2,6 +2,7 @@ from django.contrib.auth.models import User
 from django.core import mail
 from django.test import TestCase
 from hc.accounts.models import Profile
+from hc.api.models import Check
 from django.conf import settings


@ -77,14 +78,22 @@ class LoginTestCase(TestCase):
        alice.set_password("password")
        alice.save()

+        check = Check.objects.create(user=alice)
+
        form = {
            "action": "login",
            "email": "alice@example.org",
            "password": "password"
        }

-        r = self.client.post("/accounts/login/?next=/integrations/add_slack/", form)
-        self.assertRedirects(r, "/integrations/add_slack/")
+        samples = [
+            "/integrations/add_slack/",
+            "/checks/%s/details/" % check.code
+        ]
+
+        for s in samples:
+            r = self.client.post("/accounts/login/?next=%s" % s, form)
+            self.assertRedirects(r, s)

    def test_it_handles_bad_next_parameter(self):
        alice = User(username="alice", email="alice@example.org")
--- a/hc/accounts/views.py
+++ b/hc/accounts/views.py
@ -13,6 +13,7 @@ from django.core import signing
 from django.http import HttpResponseForbidden, HttpResponseBadRequest
 from django.shortcuts import redirect, render
 from django.utils.timezone import now
+from django.urls import resolve, Resolver404
 from django.views.decorators.csrf import csrf_exempt
 from django.views.decorators.http import require_POST
 from hc.accounts.forms import (ChangeEmailForm, EmailPasswordForm,
@ -25,9 +26,21 @@ from hc.api.models import Channel, Check
 from hc.lib.badges import get_badge_url
 from hc.payments.models import Subscription

-NEXT_WHITELIST = ("/checks/",
-                  "/integrations/add_slack/",
-                  "/integrations/add_pushover/")
+NEXT_WHITELIST = ("hc-checks",
+                  "hc-details",
+                  "hc-log",
+                  "hc-channels",
+                  "hc-add-slack",
+                  "hc-add-pushover")
+
+
+def _is_whitelisted(path):
+    try:
+        match = resolve(path)
+    except Resolver404:
+        return False
+
+    return match.url_name in NEXT_WHITELIST


 def _make_user(email):
@ -67,7 +80,7 @@ def _redirect_after_login(request):
    """ Redirect to the URL indicated in ?next= query parameter. """

    redirect_url = request.GET.get("next")
-    if redirect_url in NEXT_WHITELIST:
+    if _is_whitelisted(redirect_url):
        return redirect(redirect_url)

    return redirect("hc-checks")
@ -90,7 +103,7 @@ def login(request):
                profile = Profile.objects.for_user(magic_form.user)

                redirect_url = request.GET.get("next")
-                if redirect_url in NEXT_WHITELIST:
+                if _is_whitelisted(redirect_url):
                    profile.send_instant_login_link(redirect_url=redirect_url)
                else:
                    profile.send_instant_login_link()