diff options
| author | Alexander Sulfrian <alex@spline.inf.fu-berlin.de> | 2016-02-27 00:40:38 +0100 |
|---|---|---|
| committer | Alexander Sulfrian <alexander@sulfrian.net> | 2016-02-27 00:44:20 +0100 |
| commit | 80f6ad24fd57410f6231a1b7de0ac610adf098e4 (patch) | |
| tree | ac466202f3bdf41897f91b25e9072681e905e859 | |
| parent | c7e25ef1937f0b584393c6fc84b0ceb2503834f9 (diff) | |
| download | web-80f6ad24fd57410f6231a1b7de0ac610adf098e4.tar.gz web-80f6ad24fd57410f6231a1b7de0ac610adf098e4.tar.bz2 web-80f6ad24fd57410f6231a1b7de0ac610adf098e4.zip | |
login: Redirect to next url after login
| -rw-r--r-- | accounts/templates/login/login.html | 2 | ||||
| -rw-r--r-- | accounts/views/login/__init__.py | 20 |
2 files changed, 20 insertions, 2 deletions
diff --git a/accounts/templates/login/login.html b/accounts/templates/login/login.html index dadcb1b..3c81cea 100644 --- a/accounts/templates/login/login.html +++ b/accounts/templates/login/login.html @@ -10,6 +10,8 @@ </p> <form action="{{ url_for('.login') }}" method="post" class="form-horizontal"> + <input type="hidden" value="{{ next or '' }}" name="next" /> + {% for field in form %} {{ render_field(field) }} {% endfor %} diff --git a/accounts/views/login/__init__.py b/accounts/views/login/__init__.py index 18dc070..3950cf9 100644 --- a/accounts/views/login/__init__.py +++ b/accounts/views/login/__init__.py @@ -4,6 +4,7 @@ from __future__ import absolute_import from flask import Blueprint from flask import current_app, redirect, request, g, flash, render_template, url_for from flask.ext.login import login_user, logout_user, current_user +from urlparse import urljoin, urlparse from .forms import LoginForm @@ -11,6 +12,16 @@ from .forms import LoginForm bp = Blueprint('login', __name__) +def is_safe_url(target): + ref_url = urlparse(request.host_url) + test_url = urlparse(urljoin(request.host_url, target)) + print(target) + print(test_url) + return test_url.scheme in ('http', 'https') and \ + ref_url.netloc == test_url.netloc and \ + test_url.path == target + + @bp.route('/login', methods=['GET', 'POST']) def login(): if current_user.is_authenticated(): @@ -23,12 +34,17 @@ def login(): form.password.data) login_user(user) flash(u'Erfolgreich eingeloggt', 'success') - return redirect(url_for('default.index')) + + next = request.form['next'] + if not is_safe_url(next): + next = None + return redirect(next or url_for('default.index')) except (current_app.user_backend.NoSuchUserError, current_app.user_backend.InvalidPasswordError): flash(u'Ungültiger Benutzername und/oder Passwort', 'error') - return render_template("login/login.html", form=form) + return render_template("login/login.html", form=form, + next=request.values.get('next')) @bp.route('/logout') |