diff --git a/app/controllers/application_controller.rb b/app/controllers/application_controller.rb index 553bd2a85..c560ee5ed 100644 --- a/app/controllers/application_controller.rb +++ b/app/controllers/application_controller.rb @@ -122,6 +122,9 @@ class ApplicationController < ActionController::Base end def redirect_with_query_params_to(options, response_status = {}) - redirect_to request.query_parameters.merge(options), response_status + path_options = { controller: params[:controller] }.merge(options).merge(only_path: true) + path = url_for(request.query_parameters.merge(path_options)) + + redirect_to path, response_status end end diff --git a/spec/controllers/admin/hidden_debates_controller_spec.rb b/spec/controllers/admin/hidden_debates_controller_spec.rb new file mode 100644 index 000000000..c55617a94 --- /dev/null +++ b/spec/controllers/admin/hidden_debates_controller_spec.rb @@ -0,0 +1,25 @@ +require "rails_helper" + +describe Admin::HiddenDebatesController do + before { sign_in create(:administrator).user } + + describe "PUT confirm_hide" do + it "keeps query parameters while using protected redirects" do + debate = create(:debate, :hidden) + + get :confirm_hide, params: { id: debate, filter: "all", host: "evil.dev" } + + expect(response).to redirect_to "/admin/hidden_debates?filter=all" + end + end + + describe "PUT restore" do + it "keeps query parameters while using protected redirects" do + debate = create(:debate, :hidden, :with_confirmed_hide) + + get :restore, params: { id: debate, filter: "all", host: "evil.dev" } + + expect(response).to redirect_to "/admin/hidden_debates?filter=all" + end + end +end diff --git a/spec/controllers/admin/organizations_controller_spec.rb b/spec/controllers/admin/organizations_controller_spec.rb new file mode 100644 index 000000000..bafa1819c --- /dev/null +++ b/spec/controllers/admin/organizations_controller_spec.rb @@ -0,0 +1,25 @@ +require "rails_helper" + +describe Admin::OrganizationsController do + before { sign_in create(:administrator).user } + + describe "PUT verify" do + it "keeps query parameters while using protected redirects" do + organization = create(:organization) + + get :verify, params: { id: organization, filter: "pending", host: "evil.dev" } + + expect(response).to redirect_to "/admin/organizations?filter=pending" + end + end + + describe "PUT reject" do + it "keeps query parameters while using protected redirects" do + organization = create(:organization) + + get :reject, params: { id: organization, filter: "pending", host: "evil.dev" } + + expect(response).to redirect_to "/admin/organizations?filter=pending" + end + end +end diff --git a/spec/controllers/moderation/budgets/investments_controller_spec.rb b/spec/controllers/moderation/budgets/investments_controller_spec.rb new file mode 100644 index 000000000..eacba5a2e --- /dev/null +++ b/spec/controllers/moderation/budgets/investments_controller_spec.rb @@ -0,0 +1,15 @@ +require "rails_helper" + +describe Moderation::Budgets::InvestmentsController do + before { sign_in create(:moderator).user } + + describe "PUT moderate" do + it "keeps query parameters while using protected redirects" do + id = create(:budget_investment).id + + get :moderate, params: { resource_ids: [id], filter: "all", host: "evil.dev" } + + expect(response).to redirect_to "/moderation/budget_investments?filter=all&resource_ids%5B%5D=#{id}" + end + end +end diff --git a/spec/controllers/moderation/users_controller_spec.rb b/spec/controllers/moderation/users_controller_spec.rb new file mode 100644 index 000000000..424e41c8b --- /dev/null +++ b/spec/controllers/moderation/users_controller_spec.rb @@ -0,0 +1,15 @@ +require "rails_helper" + +describe Moderation::UsersController do + before { sign_in create(:moderator).user } + + describe "PUT hide_in_moderation_screen" do + it "keeps query parameters while using protected redirects" do + user = create(:user, email: "user@consul.dev") + + get :hide_in_moderation_screen, params: { id: user, name_or_email: "user@consul.dev", host: "evil.dev" } + + expect(response).to redirect_to "/moderation/users?name_or_email=user%40consul.dev" + end + end +end