When login_url is absolute, use an absolute url for the next redirect.

Closes: GH-119

diff --git a/tornado/test/httpserver_test.py b/tornado/test/httpserver_test.py
new file mode 100644 (file)
index 0000000..264bc52
--- /dev/null
+++ b/tornado/test/httpserver_test.py
@@ -0,0 +1,42 @@
+#!/usr/bin/env python
+
+from tornado.testing import AsyncHTTPTestCase, LogTrapTestCase
+from tornado.web import authenticated, Application, RequestHandler
+import re
+import unittest
+import urllib
+
+class AuthRedirectRequestHandler(RequestHandler):
+  def initialize(self, login_url):
+    self.login_url = login_url
+
+  def get_login_url(self):
+    return self.login_url
+
+  @authenticated
+  def get(self):
+    # we'll never actually get here because the test doesn't follow redirects
+    self.send_error(500)
+
+class AuthRedirectTest(AsyncHTTPTestCase, LogTrapTestCase):
+  def get_app(self):
+    return Application([('/relative', AuthRedirectRequestHandler,
+                         dict(login_url='/login')),
+                        ('/absolute', AuthRedirectRequestHandler,
+                         dict(login_url='http://example.com/login'))])
+
+  def test_relative_auth_redirect(self):
+    self.http_client.fetch(self.get_url('/relative'), self.stop,
+                           follow_redirects=False)
+    response = self.wait()
+    self.assertEqual(response.code, 302)
+    self.assertEqual(response.headers['Location'], '/login?next=%2Frelative')
+
+  def test_absolute_auth_redirect(self):
+    self.http_client.fetch(self.get_url('/absolute'), self.stop,
+                           follow_redirects=False)
+    response = self.wait()
+    self.assertEqual(response.code, 302)
+    self.assertTrue(re.match(
+        'http://example.com/login\?next=http%3A%2F%2Flocalhost%3A[0-9]+%2Fabsolute',
+        response.headers['Location']), response.headers['Location'])

diff --git a/tornado/test/runtests.py b/tornado/test/runtests.py
index 36243589f89e21cc9ca89923ae0d85baaa177004..3831194978fe1d75c072aa2dcec11a78ac60224b 100755 (executable)
--- a/tornado/test/runtests.py
+++ b/tornado/test/runtests.py
@@ -3,6 +3,7 @@ import unittest
 
 TEST_MODULES = [
     'tornado.httputil.doctests',
+    'tornado.test.httpserver_test',
     'tornado.test.ioloop_test',
     'tornado.test.stack_context_test',
     'tornado.test.testing_test',

diff --git a/tornado/web.py b/tornado/web.py
index fd2158e23f87c5c00757a4302cdce7eae2064f90..92032a0b08f92485c3eec3bd216df657532c38c2 100644 (file)
--- a/tornado/web.py
+++ b/tornado/web.py
@@ -1372,7 +1372,12 @@ def authenticated(method):
             if self.request.method == "GET":
                 url = self.get_login_url()
                 if "?" not in url:
-                    url += "?" + urllib.urlencode(dict(next=self.request.uri))
+                    if urlparse.urlsplit(url).scheme:
+                        # if login url is absolute, make next absolute too
+                        next_url = self.request.full_url()
+                    else:
+                        next_url = self.request.uri
+                    url += "?" + urllib.urlencode(dict(next=next_url))
                 self.redirect(url)
                 return
             raise HTTPError(403)