Mercurial > hg > soundsoftware-site
comparison app/controllers/application_controller.rb @ 1516:b450a9d58aed redmine-2.4
Update to Redmine SVN revision 13356 on 2.4-stable branch
| author | Chris Cannam |
|---|---|
| date | Tue, 09 Sep 2014 09:28:31 +0100 |
| parents | e248c7af89ec |
| children | dffacf8a6908 2e8063097240 |
comparison
equal
deleted
inserted
replaced
| 1494:e248c7af89ec | 1516:b450a9d58aed |
|---|---|
| 42 | 42 |
| 43 def handle_unverified_request | 43 def handle_unverified_request |
| 44 unless api_request? | 44 unless api_request? |
| 45 super | 45 super |
| 46 cookies.delete(autologin_cookie_name) | 46 cookies.delete(autologin_cookie_name) |
| 47 self.logged_user = nil | |
| 47 render_error :status => 422, :message => "Invalid form authenticity token." | 48 render_error :status => 422, :message => "Invalid form authenticity token." |
| 48 end | 49 end |
| 49 end | 50 end |
| 50 | 51 |
| 51 before_filter :session_expiration, :user_setup, :check_if_login_required, :check_password_change, :set_localization | 52 before_filter :session_expiration, :user_setup, :check_if_login_required, :check_password_change, :set_localization |
| 373 url | 374 url |
| 374 end | 375 end |
| 375 | 376 |
| 376 def redirect_back_or_default(default) | 377 def redirect_back_or_default(default) |
| 377 back_url = params[:back_url].to_s | 378 back_url = params[:back_url].to_s |
| 378 if back_url.present? | 379 if back_url.present? && valid_back_url?(back_url) |
| 379 begin | 380 redirect_to(back_url) |
| 380 uri = URI.parse(back_url) | 381 return |
| 381 # do not redirect user to another host or to the login or register page | |
| 382 if (uri.relative? || (uri.host == request.host)) && !uri.path.match(%r{/(login|account/register)}) | |
| 383 redirect_to(back_url) | |
| 384 return | |
| 385 end | |
| 386 rescue URI::InvalidURIError | |
| 387 logger.warn("Could not redirect to invalid URL #{back_url}") | |
| 388 # redirect to default | |
| 389 end | |
| 390 end | 382 end |
| 391 redirect_to default | 383 redirect_to default |
| 392 false | 384 false |
| 393 end | 385 end |
| 386 | |
| 387 # Returns true if back_url is a valid url for redirection, otherwise false | |
| 388 def valid_back_url?(back_url) | |
| 389 if CGI.unescape(back_url).include?('..') | |
| 390 return false | |
| 391 end | |
| 392 | |
| 393 begin | |
| 394 uri = URI.parse(back_url) | |
| 395 rescue URI::InvalidURIError | |
| 396 return false | |
| 397 end | |
| 398 | |
| 399 if uri.host.present? && uri.host != request.host | |
| 400 return false | |
| 401 end | |
| 402 | |
| 403 if uri.path.match(%r{/(login|account/register)}) | |
| 404 return false | |
| 405 end | |
| 406 | |
| 407 if relative_url_root.present? && !uri.path.starts_with?(relative_url_root) | |
| 408 return false | |
| 409 end | |
| 410 | |
| 411 return true | |
| 412 end | |
| 413 private :valid_back_url? | |
| 394 | 414 |
| 395 # Redirects to the request referer if present, redirects to args or call block otherwise. | 415 # Redirects to the request referer if present, redirects to args or call block otherwise. |
| 396 def redirect_to_referer_or(*args, &block) | 416 def redirect_to_referer_or(*args, &block) |
| 397 redirect_to :back | 417 redirect_to :back |
| 398 rescue ::ActionController::RedirectBackError | 418 rescue ::ActionController::RedirectBackError |
| 552 nil | 572 nil |
| 553 end | 573 end |
| 554 | 574 |
| 555 # Returns a string that can be used as filename value in Content-Disposition header | 575 # Returns a string that can be used as filename value in Content-Disposition header |
| 556 def filename_for_content_disposition(name) | 576 def filename_for_content_disposition(name) |
| 557 request.env['HTTP_USER_AGENT'] =~ %r{MSIE} ? ERB::Util.url_encode(name) : name | 577 request.env['HTTP_USER_AGENT'] =~ %r{(MSIE|Trident)} ? ERB::Util.url_encode(name) : name |
| 558 end | 578 end |
| 559 | 579 |
| 560 def api_request? | 580 def api_request? |
| 561 %w(xml json).include? params[:format] | 581 %w(xml json).include? params[:format] |
| 562 end | 582 end |