Ensure we only store paths in store_location_for (thanks to @homakov for the tip)

This commit is contained in:
José Valim 2013-11-13 13:30:24 +01:00
parent 221be6d6ef
commit 0582467032
2 changed files with 9 additions and 1 deletions

View File

@ -1,3 +1,5 @@
require "uri"
module Devise
module Controllers
# Provide the ability to store a location.
@ -31,7 +33,7 @@ module Devise
#
def store_location_for(resource_or_scope, location)
session_key = stored_location_key_for(resource_or_scope)
session[session_key] = location
session[session_key] = URI.parse(location).path
end
private

View File

@ -198,6 +198,12 @@ class ControllerAuthenticatableTest < ActionController::TestCase
assert_equal "/foo.bar", @controller.stored_location_for(User.new)
end
test 'store location for stores only paths' do
assert_nil @controller.stored_location_for(:user)
@controller.store_location_for(:user, "//host/foo.bar")
assert_equal "/foo.bar", @controller.stored_location_for(:user)
end
test 'after sign in path defaults to root path if none by was specified for the given scope' do
assert_equal root_path, @controller.after_sign_in_path_for(:user)
end