consul/nairobi
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Redirect to referer after destroying an image

Browse Source 
The same way we do for documents. This way we avoid a possible
unprotected redirect.
This commit is contained in:
Javi Martín
2019-11-10 16:14:36 +01:00
parent 50bdfd5488
commit 9065683216
3 changed files with 19 additions and 2 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
app/controllers/images_controller.rb
View File

@@ -11,7 +11,7 @@ class ImagesController < ApplicationController
else
flash[:alert] = t "images.actions.destroy.alert"
end
redirect_to params[:from]
redirect_to request.referer
end
format.js do
if @image.destroy

2
app/views/budgets/investments/_investment_show.html.erb
View File

@@ -26,7 +26,7 @@
<div class="sidebar-divider"></div>
<h2><%= t("budgets.investments.show.author") %></h2>
<div class="show-actions-menu">
<%= link_to image_path(investment.image, from: request.url),
<%= link_to image_path(investment.image),
method: :delete,
class: "button hollow alert expanded" do %>
<span class="icon-image"></span>

17
spec/controllers/images_controller_spec.rb Normal file
View File

@@ -0,0 +1,17 @@
require "rails_helper"
describe ImagesController do
let(:user) { create(:user) }
before { sign_in user }
describe "DELETE destroy" do
it "redirects to the referer URL" do
image = create(:image, imageable: create(:proposal, author: user))
request.env["HTTP_REFERER"] = "/proposals"
delete :destroy, params: { id: image, from: "http://evil.dev" }
expect(response).to redirect_to "/proposals"
end
end
end