Revision 217994f8 snf-astakos-app/astakos/im/views.py

b/snf-astakos-app/astakos/im/views.py
56 56

  
57 57
from astakos.im.models import AstakosUser, Invitation, ApprovalTerms
58 58
from astakos.im.activation_backends import get_backend, SimpleBackend
59
from astakos.im.util import get_context, prepare_response, set_cookie, get_query
59
from astakos.im.util import (
60
    get_context, prepare_response, set_cookie, get_query, restrict_next
61
)
60 62
from astakos.im.forms import *
61 63
from astakos.im.functions import (send_greeting, send_feedback, SendMailError,
62 64
    invite as invite_func, logout as auth_logout, activate as activate_func
......
268 270
                user = form.save()
269 271
                reset_cookie = user.auth_token != prev_token
270 272
                form = ProfileForm(instance=user)
271
                next = request.POST.get('next')
273
                next = restrict_next(
274
                    request.POST.get('next'),
275
                    domain=COOKIE_DOMAIN
276
                )
272 277
                if next:
273 278
                    return redirect(next)
274 279
                msg = _('<p>Profile has been updated successfully</p>')
......
419 424
                           feedback_form = form,
420 425
                           context_instance = get_context(request, extra_context))
421 426

  
422
@require_http_methods(["GET", "POST"])
427
@require_http_methods(["GET"])
423 428
def logout(request, template='registration/logged_out.html', extra_context={}):
424 429
    """
425 430
    Wraps `django.contrib.auth.logout` and delete the cookie.
......
431 436
        response.delete_cookie(COOKIE_NAME, path='/', domain=COOKIE_DOMAIN)
432 437
        msg = 'Cookie deleted for %s' % email
433 438
        logger._log(LOGGING_LEVEL, msg, [])
434
    next = request.GET.get('next')
439
    next = restrict_next(
440
        request.GET.get('next'),
441
        domain=COOKIE_DOMAIN
442
    )
435 443
    if next:
436 444
        response['Location'] = next
437 445
        response.status_code = 302
......
506 514
    terms = f.read()
507 515

  
508 516
    if request.method == 'POST':
509
        next = request.POST.get('next')
517
        next = restrict_next(
518
            request.POST.get('next'),
519
            domain=COOKIE_DOMAIN
520
        )
510 521
        if not next:
511 522
            next = reverse('astakos.im.views.index')
512 523
        form = SignApprovalTermsForm(request.POST, instance=request.user)

Also available in: Unified diff