Fix next url in events registrations admin

f15bece1 · Sébastiaan Versteeg · Thom Wiggers · fb7a15ef · f15bece1 · f15bece1
Commit f15bece1 authored Oct 31, 2018 by Sébastiaan Versteeg Committed by Thom Wiggers Nov 02, 2018
--- a/website/events/admin.py
+++ b/website/events/admin.py
 # -*- coding: utf-8 -*-
 """Registers admin interfaces for the events module"""
 from django.contrib import admin
+from django.core.exceptions import DisallowedRedirect
 from django.db.models import Max, Min
 from django.http import HttpResponseRedirect
 from django.template.defaultfilters import date as _date
@@ -22,10 +23,15 @@ from . import forms, models

 def _do_next(request, response):
    """See DoNextModelAdmin"""
-    if 'next' in request.GET and is_safe_url(request.GET['next']):
-        return HttpResponseRedirect(request.GET['next'])
-    else:
-        return response
+    if 'next' in request.GET:
+        if not is_safe_url(request.GET['next']):
+            raise DisallowedRedirect
+        elif '_save' in request.POST:
+            return HttpResponseRedirect(request.GET['next'])
+        elif response is not None:
+            return HttpResponseRedirect('{}?{}'.format(
+                response.url, request.GET.urlencode()))
+    return response


 class DoNextModelAdmin(TranslatedModelAdmin):

--- a/website/events/tests/test_admin.py
+++ b/website/events/tests/test_admin.py
@@ -2,6 +2,7 @@ import datetime
 from unittest import mock

 from django.contrib.admin import AdminSite
+from django.core.exceptions import DisallowedRedirect
 from django.http import HttpResponseRedirect
 from django.test import TestCase, RequestFactory, override_settings
 from django.utils import timezone
@@ -32,21 +33,26 @@ class DoNextModelAdminTest(TestCase):
        response = self.admin.response_add(request, None)
        self.assertIsNone(response, "Should return the original response")

-        request = self.rf.get('/admin/events/event/1', data={
-            'next': 'http://example.org',
-        })
-        response = self.admin.response_add(request, None)
-        self.assertNotIsInstance(response, HttpResponseRedirect,
-                                 "Should not redirect")
+        request = self.rf.post('/admin/events/event/1?next=http://example.org',
+                               data={
+                                   '_save': True
+                               })
+        with self.assertRaises(DisallowedRedirect):
+            self.admin.response_add(request, None)

-        request = self.rf.get('/admin/events/event/1', data={
-            'next': '/test',
+        request = self.rf.post('/admin/events/event/1?next=/test', data={
+            '_save': True
        })
        response = self.admin.response_add(request, None)
        self.assertIsInstance(response, HttpResponseRedirect)
        self.assertEqual('/test', response.url,
                         "Should return the url in the next parameter.")

+        request = self.rf.post('/admin/events/event/1?next=/test')
+        response = self.admin.response_add(request, None)
+        self.assertNotIsInstance(response, HttpResponseRedirect,
+                                 "Should not redirect")
+
    @mock.patch('utils.translation.TranslatedModelAdmin.response_change')
    def test_response_change(self, super_mock):
        super_mock.return_value = None
@@ -55,21 +61,26 @@ class DoNextModelAdminTest(TestCase):
        response = self.admin.response_change(request, None)
        self.assertIsNone(response, "Should return the original response")

-        request = self.rf.get('/admin/events/event/1', data={
-            'next': 'http://example.org',
-        })
-        response = self.admin.response_change(request, None)
-        self.assertNotIsInstance(response, HttpResponseRedirect,
-                                 "Should not redirect")
+        request = self.rf.post('/admin/events/event/1?next=http://example.org',
+                               data={
+                                   '_save': True
+                               })
+        with self.assertRaises(DisallowedRedirect):
+            self.admin.response_change(request, None)

-        request = self.rf.get('/admin/events/event/1', data={
-            'next': '/test',
+        request = self.rf.post('/admin/events/event/1?next=/test', data={
+            '_save': True
        })
        response = self.admin.response_change(request, None)
        self.assertIsInstance(response, HttpResponseRedirect)
        self.assertEqual('/test', response.url,
                         "Should return the url in the next parameter.")

+        request = self.rf.post('/admin/events/event/1?next=/test')
+        response = self.admin.response_change(request, None)
+        self.assertNotIsInstance(response, HttpResponseRedirect,
+                                 "Should not redirect")
+

 @freeze_time('2017-01-01')
 class RegistrationInformationFieldInlineTest(TestCase):