before_action :require_self, :only => [:account]
before_action :check_database_writable, :only => [:new, :account, :confirm, :confirm_email, :lost_password, :reset_password, :go_public]
before_action :require_cookies, :only => [:new, :login, :confirm]
- before_action :lookup_user_by_name, :only => [:set_status, :delete]
+ before_action :lookup_user_by_name, :only => [:set_status, :destroy]
before_action :allow_thirdparty_images, :only => [:show, :account]
def terms
flash[:notice] = t("users.new.terms declined", :url => t("users.new.terms declined url")).html_safe if current_user.save
if params[:referer]
- redirect_to params[:referer]
+ redirect_to safe_referer(params[:referer])
else
redirect_to :action => :account, :display_name => current_user.display_name
end
end
if params[:referer]
- redirect_to params[:referer]
+ redirect_to safe_referer(params[:referer])
else
redirect_to :action => :account, :display_name => current_user.display_name
end
def new
@title = t "users.new.title"
- @referer = params[:referer] || session[:referer]
+ @referer = if params[:referer]
+ safe_referer(params[:referer])
+ else
+ session[:referer]
+ end
append_content_security_policy_directives(
:form_action => %w[accounts.google.com *.facebook.com login.live.com github.com meta.wikimedia.org]
self.current_user = User.new(user_params)
if check_signup_allowed(current_user.email)
- session[:referer] = params[:referer]
+ session[:referer] = safe_referer(params[:referer]) if params[:referer]
+
+ Rails.logger.info "create: #{session[:referer]}"
current_user.status = "pending"
end
def login
- session[:referer] = params[:referer] if params[:referer]
+ session[:referer] = safe_referer(params[:referer]) if params[:referer]
if params[:username].present? && params[:password].present?
session[:remember_me] ||= params[:remember_me]
session.delete(:user)
session_expires_automatically
if params[:referer]
- redirect_to params[:referer]
+ redirect_to safe_referer(params[:referer])
else
redirect_to :controller => "site", :action => "index"
end
user.email_valid = true
flash[:notice] = gravatar_status_message(user) if gravatar_enable(user)
user.save!
- referer = token.referer
+ referer = safe_referer(token.referer) if token.referer
token.destroy
if session[:token]
gravatar_enabled = gravatar_enable(current_user)
if current_user.save
flash[:notice] = if gravatar_enabled
- t("users.confirm_email.success") + " " + gravatar_status_message(current_user)
+ "#{t('users.confirm_email.success')} #{gravatar_status_message(current_user)}"
else
t("users.confirm_email.success")
end
##
# delete a user, marking them as deleted and removing personal data
- def delete
+ def destroy
@user.delete
redirect_to user_path(:display_name => params[:display_name])
end
##
# omniauth failure callback
def auth_failure
- flash[:error] = t("users.auth_failure." + params[:message])
+ flash[:error] = t("users.auth_failure.#{params[:message]}")
redirect_to params[:origin] || login_url
end
if referer.nil?
params[:origin] = request.path
else
- params[:origin] = request.path + "?referer=" + CGI.escape(referer)
+ params[:origin] = "#{request.path}?referer=#{CGI.escape(referer)}"
params[:referer] = referer
end
projects / rails.git / blobdiff