[#309] Set the back_url after sending a lost password so HTTP_REFERER isn't used

Contributed by Robert Chady
2011-04-20 16:23:40 -07:00 · 2011-04-20 16:23:40 -07:00 · ed252f7246
parent 7f47401a03
commit ed252f7246
2 changed files with 26 additions and 2 deletions
--- a/app/controllers/account_controller.rb
+++ b/app/controllers/account_controller.rb
@ -67,7 +67,7 @@ class AccountController < ApplicationController
        if token.save
          Mailer.deliver_lost_password(token)
          flash[:notice] = l(:notice_account_lost_email_sent)
-          redirect_to :action => 'login'
+          redirect_to :action => 'login', :back_url => home_url
          return
        end
      end
--- a/test/integration/account_test.rb
+++ b/test/integration/account_test.rb
@ -77,7 +77,7 @@ class AccountTest < ActionController::IntegrationTest
    assert_template "account/lost_password"
    
    post "account/lost_password", :mail => 'jSmith@somenet.foo'
-    assert_redirected_to "/login"
+    assert_redirected_to "/login?back_url=http%3A%2F%2Fwww.example.com%2F"
    
    token = Token.find(:first)
    assert_equal 'recovery', token.action
@ -143,6 +143,30 @@ class AccountTest < ActionController::IntegrationTest
    assert_redirected_to '/login'
    log_user('newuser', 'newpass')
  end
+
+  should_eventually "login after losing password should redirect back to home" do
+    visit "/login"
+    assert_response :success
+
+    click_link "Lost password"
+    assert_response :success
+
+    # Lost password form
+    fill_in "mail", :with => "admin@somenet.foo"
+    click_button "Submit"
+    
+    assert_response :success # back to login page
+    assert_equal "/login", current_path
+
+    fill_in "Login:", :with => 'admin'
+    fill_in "Password:", :with => 'test'
+    click_button "login"
+
+    assert_response :success
+    assert_equal "/", current_path
+    
+  end
+  
  
  if Object.const_defined?(:Mocha)