From 80f6ad24fd57410f6231a1b7de0ac610adf098e4 Mon Sep 17 00:00:00 2001
From: Alexander Sulfrian <alex@spline.inf.fu-berlin.de>
Date: Sat, 27 Feb 2016 00:40:38 +0100
Subject: login: Redirect to next url after login

---
 accounts/templates/login/login.html |  2 ++
 accounts/views/login/__init__.py    | 20 ++++++++++++++++++--
 2 files changed, 20 insertions(+), 2 deletions(-)

diff --git a/accounts/templates/login/login.html b/accounts/templates/login/login.html
index dadcb1b..3c81cea 100644
--- a/accounts/templates/login/login.html
+++ b/accounts/templates/login/login.html
@@ -10,6 +10,8 @@
 </p>
 
 <form action="{{ url_for('.login') }}" method="post" class="form-horizontal">
+  <input type="hidden" value="{{ next or '' }}" name="next" />
+
   {% for field in form %}
     {{ render_field(field) }}
   {% endfor %}
diff --git a/accounts/views/login/__init__.py b/accounts/views/login/__init__.py
index 18dc070..3950cf9 100644
--- a/accounts/views/login/__init__.py
+++ b/accounts/views/login/__init__.py
@@ -4,6 +4,7 @@ from __future__ import absolute_import
 from flask import Blueprint
 from flask import current_app, redirect, request, g, flash, render_template, url_for
 from flask.ext.login import login_user, logout_user, current_user
+from urlparse import urljoin, urlparse
 
 from .forms import LoginForm
 
@@ -11,6 +12,16 @@ from .forms import LoginForm
 bp = Blueprint('login', __name__)
 
 
+def is_safe_url(target):
+    ref_url = urlparse(request.host_url)
+    test_url = urlparse(urljoin(request.host_url, target))
+    print(target)
+    print(test_url)
+    return test_url.scheme in ('http', 'https') and \
+           ref_url.netloc == test_url.netloc and \
+           test_url.path == target
+
+
 @bp.route('/login', methods=['GET', 'POST'])
 def login():
     if current_user.is_authenticated():
@@ -23,12 +34,17 @@ def login():
                                                  form.password.data)
             login_user(user)
             flash(u'Erfolgreich eingeloggt', 'success')
-            return redirect(url_for('default.index'))
+
+            next = request.form['next']
+            if not is_safe_url(next):
+                next = None
+            return redirect(next or url_for('default.index'))
         except (current_app.user_backend.NoSuchUserError,
                 current_app.user_backend.InvalidPasswordError):
             flash(u'Ungültiger Benutzername und/oder Passwort', 'error')
 
-    return render_template("login/login.html", form=form)
+    return render_template("login/login.html", form=form,
+                           next=request.values.get('next'))
 
 
 @bp.route('/logout')
-- 
cgit v1.2.3-1-g7c22