diff options
author | Kazuki Yamaguchi <k@rhe.jp> | 2015-06-19 01:01:46 +0900 |
---|---|---|
committer | Kazuki Yamaguchi <k@rhe.jp> | 2015-06-19 01:01:46 +0900 |
commit | 3a21cf8cc21f0f7f56b21e8ebc8e049cabc956ca (patch) | |
tree | 1f76afc1be5c2e289c324fd0220030f4ee46b4ba | |
parent | eeaa5ec5230d7a15f1c25ec696caf3a6a0aa5327 (diff) | |
download | aclog-3a21cf8cc21f0f7f56b21e8ebc8e049cabc956ca.tar.gz |
web: extract checking if safe redirect into ApplicationController#safe_redirect?
-rw-r--r-- | app/controllers/application_controller.rb | 7 | ||||
-rw-r--r-- | app/controllers/sessions_controller.rb | 16 |
2 files changed, 13 insertions, 10 deletions
diff --git a/app/controllers/application_controller.rb b/app/controllers/application_controller.rb index 7700a2c..15cc108 100644 --- a/app/controllers/application_controller.rb +++ b/app/controllers/application_controller.rb @@ -17,11 +17,10 @@ class ApplicationController < ActionController::Base end def current_user - @_current_user ||= begin + @_current_user ||= if logged_in? User.find(session[:user_id]) end - end end def authorized_to_show_user?(user) @@ -39,4 +38,8 @@ class ApplicationController < ActionController::Base end object end + + def safe_redirect?(to) + to[0] == "/" && !to.include?("//") + end end diff --git a/app/controllers/sessions_controller.rb b/app/controllers/sessions_controller.rb index f5d609c..335d84e 100644 --- a/app/controllers/sessions_controller.rb +++ b/app/controllers/sessions_controller.rb @@ -5,11 +5,6 @@ class SessionsController < ApplicationController account = Account.register(user_id: auth.uid, oauth_token: auth.credentials.token, oauth_token_secret: auth.credentials.secret) - begin - WorkerManager.update_account(account) - rescue Aclog::Exceptions::WorkerConnectionError - end - User.create_or_update_from_json( { id: account.user_id, screen_name: auth.extra.raw_info.screen_name, @@ -17,13 +12,18 @@ class SessionsController < ApplicationController profile_image_url_https: auth.extra.raw_info.profile_image_url_https, protected: auth.extra.raw_info.protected }) + begin + WorkerManager.update_account(account) + rescue Aclog::Exceptions::WorkerConnectionError + end + session[:user_id] = account.user_id to = request.env["omniauth.params"]["redirect_after_login"].to_s - if to == "/" || to[0] != "/" || to.include?("//") - redirect_to user_path(auth.extra.raw_info.screen_name) - else + if safe_redirect?(to) redirect_to to + else + redirect_to user_path(auth.extra.raw_info.screen_name) end end |