[#347] Fix potential Execution After Redirect bugs

Execution After Redirect (EAR) happens when redirect in a controller is
triggered but there still is code that is executed in the action.

Contributed by Adam Doupé
This commit is contained in:
Eric Davis 2011-04-28 14:39:19 -07:00
parent 72cd7f2049
commit d2973a641e
6 changed files with 25 additions and 15 deletions

View File

@ -274,6 +274,7 @@ class ApplicationController < ActionController::Base
end
end
redirect_to default
false
end
def render_403(options={})

View File

@ -38,8 +38,9 @@ class CustomFieldsController < ApplicationController
flash[:notice] = l(:notice_successful_create)
call_hook(:controller_custom_fields_new_after_save, :params => params, :custom_field => @custom_field)
redirect_to :action => 'index', :tab => @custom_field.class.name
else
@trackers = Tracker.find(:all, :order => 'position')
end
@trackers = Tracker.find(:all, :order => 'position')
end
def edit
@ -48,8 +49,9 @@ class CustomFieldsController < ApplicationController
flash[:notice] = l(:notice_successful_update)
call_hook(:controller_custom_fields_edit_after_save, :params => params, :custom_field => @custom_field)
redirect_to :action => 'index', :tab => @custom_field.class.name
else
@trackers = Tracker.find(:all, :order => 'position')
end
@trackers = Tracker.find(:all, :order => 'position')
end
def destroy

View File

@ -75,10 +75,12 @@ class EnumerationsController < ApplicationController
# No associated objects
@enumeration.destroy
redirect_to :action => 'index'
return
elsif params[:reassign_to_id]
if reassign_to = @enumeration.class.find_by_id(params[:reassign_to_id])
@enumeration.destroy(reassign_to)
redirect_to :action => 'index'
return
end
end
@enumerations = @enumeration.class.find(:all) - [@enumeration]

View File

@ -65,10 +65,12 @@ class IssueCategoriesController < ApplicationController
# No issue assigned to this category
@category.destroy
redirect_to :controller => 'projects', :action => 'settings', :id => @project, :tab => 'categories'
return
elsif params[:todo]
reassign_to = @project.issue_categories.find_by_id(params[:reassign_to_id]) if params[:todo] == 'reassign'
@category.destroy(reassign_to)
redirect_to :controller => 'projects', :action => 'settings', :id => @project, :tab => 'categories'
return
end
@categories = @project.issue_categories - [@category]
end

View File

@ -38,9 +38,10 @@ class RolesController < ApplicationController
end
flash[:notice] = l(:notice_successful_create)
redirect_to :action => 'index'
else
@permissions = @role.setable_permissions
@roles = Role.find :all, :order => 'builtin, position'
end
@permissions = @role.setable_permissions
@roles = Role.find :all, :order => 'builtin, position'
end
def edit
@ -48,8 +49,9 @@ class RolesController < ApplicationController
if request.post? and @role.update_attributes(params[:role])
flash[:notice] = l(:notice_successful_update)
redirect_to :action => 'index'
else
@permissions = @role.setable_permissions
end
@permissions = @role.setable_permissions
end
def destroy

View File

@ -36,16 +36,16 @@ class SettingsController < ApplicationController
end
flash[:notice] = l(:notice_successful_update)
redirect_to :action => 'edit', :tab => params[:tab]
return
end
@options = {}
@options[:user_format] = User::USER_FORMATS.keys.collect {|f| [User.current.name(f), f.to_s] }
@deliveries = ActionMailer::Base.perform_deliveries
else
@options = {}
@options[:user_format] = User::USER_FORMATS.keys.collect {|f| [User.current.name(f), f.to_s] }
@deliveries = ActionMailer::Base.perform_deliveries
@guessed_host_and_path = request.host_with_port.dup
@guessed_host_and_path << ('/'+ Redmine::Utils.relative_url_root.gsub(%r{^\/}, '')) unless Redmine::Utils.relative_url_root.blank?
@guessed_host_and_path = request.host_with_port.dup
@guessed_host_and_path << ('/'+ Redmine::Utils.relative_url_root.gsub(%r{^\/}, '')) unless Redmine::Utils.relative_url_root.blank?
Redmine::Themes.rescan
Redmine::Themes.rescan
end
end
def plugin
@ -54,9 +54,10 @@ class SettingsController < ApplicationController
Setting["plugin_#{@plugin.id}"] = params[:settings]
flash[:notice] = l(:notice_successful_update)
redirect_to :action => 'plugin', :id => @plugin.id
else
@partial = @plugin.settings[:partial]
@settings = Setting["plugin_#{@plugin.id}"]
end
@partial = @plugin.settings[:partial]
@settings = Setting["plugin_#{@plugin.id}"]
rescue Redmine::PluginNotFound
render_404
end