Redirect after login

5 views
Skip to first unread message

Baptiste

unread,
Apr 5, 2011, 11:45:17 AM4/5/11
to Pluf Users
Hello

I have a proposal to answer to the 'redirect to requested url after login'
issue. I did not make any patch because the code is split beween pluf
and the main app.

I wrote that in 4 steps - that is, following internal logic :

- A pluf template tag (RequestQuery) that inserts the current 'url' in the
template like this :
<a href="{url 'MyApp_Views::login'}?_redirect_after={requestquery}">

- In the app login form : a new HiddenInput which is
initially set with this GET variable value in the login view

- In the app login form on a POST request before calling pluf->login method :
we try to compose a redirection :
if(isset($request->POST['_redirect_after']))
$redirect = Pluf::f('canopedia_base') . $request->POST['_redirect_after'] ;
else{
$redirect = Pluf::f('login_success_url');
}
return $v->login($request, $match, $redirect, ....
We do this at this moment because I did not find the way inside
Pluf::Views->login to compose the app's base path (we miss a config var with
the app's name, maybe).

- Let's see Pluf_View::Login now.
I suggest to delete the begin of method which seems to me a
little bit "magical", because it overrides the $success_url parameter :
http://projects.ceondo.com/p/pluf/source/tree/master/src/Pluf/Views.php#L80

Instead, we want to have a security check to validate the 'success_url'
(which is technically more of a success_path or success_query) stays inside
the app perimeter:

// Security checks : url is not garbage and do not redirect elsewhere
// the regex matches a '//' *before* a ?. Stolen from django/contrib/auth/views.py
if($success_url != '/'
and (false !== strpos($success_url, ' ')
or false !== strpos($success_url, '//')
or 0 !== preg_match('#[^\?]*//#', $success_url) )){
$success_url = '/';
}

Okay. That's it, the redirection is effective.
Thank you having read this ;). I hope everything is clear and I would very much
appreciate your feedback on this one.

Loic d'Anterroches

unread,
Apr 6, 2011, 8:25:16 AM4/6/11
to pluf-...@googlegroups.com

Nice stuff. You can use the Pluf_Sign to sign the query string you pass
in your view. This way, you can be sure that the success url is "valid".

lo�c

Baptiste

unread,
Apr 11, 2011, 2:20:26 AM4/11/11
to pluf-...@googlegroups.com

Le Wed, 06 Apr 2011 14:25:16 +0200,
Loic d'Anterroches <ti...@users.sourceforge.net> a écrit :

> loďc
>

Good morning,

That was a great idea, Loïc. The attached patch adds the template tag with some instructions.
If everything is okay, I will handle this in indefero later.

--
Baptiste

http://ozazar.org
http://canopedia.org

0003-Added-a-template-tag-to-redirect-the-user-after-havi.patch
Reply all
Reply to author
Forward
0 new messages