GKaszewski/movies-diary
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

fix: profile delete redirect and open redirect via //

Browse Source
This commit is contained in:
Gabriel Kaszewski
2026-05-08 13:33:59 +02:00
parent 5f8eba9f84
commit a282539151
4 changed files with 5 additions and 2 deletions
Download Patch File Download Diff File Expand all files Collapse all files

1
crates/adapters/template-askama/Cargo.toml
View File

@@ -8,6 +8,7 @@ askama = { version = "0.16.0" }
serde = { workspace = true } serde = { workspace = true }
chrono = { workspace = true } chrono = { workspace = true }
uuid = { workspace = true }
domain = { workspace = true } domain = { workspace = true }
application = { workspace = true } application = { workspace = true }

2
crates/adapters/template-askama/src/lib.rs
View File

@@ -71,6 +71,7 @@ struct MonthlyRatingRow<'a> {
struct ProfileTemplate<'a> { struct ProfileTemplate<'a> {
ctx: &'a HtmlPageContext, ctx: &'a HtmlPageContext,
profile_display_name: String, profile_display_name: String,
profile_user_id: uuid::Uuid,
stats: &'a UserStats, stats: &'a UserStats,
view: &'a str, view: &'a str,
entries: Option<&'a Paginated<DiaryEntry>>, entries: Option<&'a Paginated<DiaryEntry>>,
@@ -239,6 +240,7 @@ impl HtmlRenderer for AskamaHtmlRenderer {
ProfileTemplate { ProfileTemplate {
ctx: &data.ctx, ctx: &data.ctx,
profile_display_name, profile_display_name,
profile_user_id: data.profile_user_id,
stats: &data.stats, stats: &data.stats,
view: &data.view, view: &data.view,
entries: data.entries.as_ref(), entries: data.entries.as_ref(),

2
crates/adapters/template-askama/templates/profile.html
View File

@@ -141,7 +141,7 @@
<div class="watched-at">{{ entry.review().watched_at().format("%Y-%m-%d") }}</div> <div class="watched-at">{{ entry.review().watched_at().format("%Y-%m-%d") }}</div>
{% if ctx.is_current_user(entry.review().user_id().value()) %} {% if ctx.is_current_user(entry.review().user_id().value()) %}
<form method="post" action="/reviews/{{ entry.review().id().value() }}/delete" class="delete-form"> <form method="post" action="/reviews/{{ entry.review().id().value() }}/delete" class="delete-form">
<input type="hidden" name="redirect_after" value="?view={{ view }}&offset={{ current_offset }}"> <input type="hidden" name="redirect_after" value="/users/{{ profile_user_id }}?view={{ view }}&offset={{ current_offset }}">
<button type="submit">Delete</button> <button type="submit">Delete</button>
</form> </form>
{% endif %} {% endif %}

2
crates/presentation/src/handlers.rs
View File

@@ -229,7 +229,7 @@ pub mod html {
Ok(()) => { Ok(()) => {
let redirect_url = form let redirect_url = form
.redirect_after .redirect_after
.filter(|url| url.starts_with('/') || url.starts_with('?')) .filter(|url| (url.starts_with('/') && !url.starts_with("//")) || url.starts_with('?'))
.unwrap_or_else(|| "/".to_string()); .unwrap_or_else(|| "/".to_string());
Redirect::to(&redirect_url).into_response() Redirect::to(&redirect_url).into_response()
} }