Merge pull request #232 from wvengen/feature-remove_unused_redirect_to

Security improvements

app/controllers/application_controller.rb

@@ -4,7 +4,7 @@ class ApplicationController < ActionController::Base
   helper_method :available_locales
 
   protect_from_forgery
-  before_filter  :select_foodcoop, :authenticate, :store_controller, :items_per_page, :set_redirect_to
+  before_filter  :select_foodcoop, :authenticate, :store_controller, :items_per_page
   after_filter  :remove_controller
 
   
@@ -80,8 +80,8 @@ class ApplicationController < ActionController::Base
 
   # checks if the current_user is member of given group.
   # if fails the user will redirected to startpage
-  def authenticate_membership_or_admin
-    @group = Group.find(params[:id])
+  def authenticate_membership_or_admin(group_id = params[:id])
+    @group = Group.find(group_id)
     unless @group.member?(@current_user) or @current_user.role_admin?
       redirect_to root_path, alert: I18n.t('application.controller.error_members_only')
     end
@@ -128,18 +128,6 @@ class ApplicationController < ActionController::Base
     end
   end
 
-  def set_redirect_to
-    session[:redirect_to] = params[:redirect_to] if params[:redirect_to]
-  end
-
-  def back_or_default_path(default = root_path)
-    if session[:redirect_to].present?
-      default = session[:redirect_to]
-      session[:redirect_to] = nil
-    end
-    default
-  end
-
   # Always stay in foodcoop url scope
   def default_url_options(options = {})
     {foodcoop: FoodsoftConfig.scope}

app/controllers/invites_controller.rb

@@ -1,20 +1,20 @@
 class InvitesController < ApplicationController
 
-  before_filter :authenticate_membership_or_admin, :only => [:new]
-  #TODO: authorize also for create action.
+  before_filter :authenticate_membership_or_admin_for_invites
   
   def new
     @invite = Invite.new(:user => @current_user, :group => @group)
   end
   
   def create
+    authenticate_membership_or_admin params[:invite][:group_id]
     @invite = Invite.new(params[:invite])
     if @invite.save
       Mailer.invite(@invite).deliver
 
       respond_to do |format|
         format.html do
-          redirect_to back_or_default_path, notice: I18n.t('invites.success')
+          redirect_to root_path, notice: I18n.t('invites.success')
         end
         format.js { render layout: false }
       end
@@ -23,4 +23,10 @@ class InvitesController < ApplicationController
       render action: :new
     end
   end
+
+  protected
+
+  def authenticate_membership_or_admin_for_invites
+    authenticate_membership_or_admin((params[:invite][:group_id] rescue params[:id]))
+  end
 end