From: Ben Darnell <ben@bendarnell.com>
Date: Fri, 6 Aug 2010 20:12:14 +0000 (-0700)
Subject: When login_url is absolute, use an absolute url for the next redirect.
X-Git-Tag: v1.1.0~46
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=98d4126169836f498b892345137dbffa92024b9a;p=thirdparty%2Ftornado.git

When login_url is absolute, use an absolute url for the next redirect.

Closes: GH-119
---

diff --git a/tornado/test/httpserver_test.py b/tornado/test/httpserver_test.py
new file mode 100644
index 000000000..264bc526b
--- /dev/null
+++ b/tornado/test/httpserver_test.py
@@ -0,0 +1,42 @@
+#!/usr/bin/env python
+
+from tornado.testing import AsyncHTTPTestCase, LogTrapTestCase
+from tornado.web import authenticated, Application, RequestHandler
+import re
+import unittest
+import urllib
+
+class AuthRedirectRequestHandler(RequestHandler):
+  def initialize(self, login_url):
+    self.login_url = login_url
+
+  def get_login_url(self):
+    return self.login_url
+
+  @authenticated
+  def get(self):
+    # we'll never actually get here because the test doesn't follow redirects
+    self.send_error(500)
+
+class AuthRedirectTest(AsyncHTTPTestCase, LogTrapTestCase):
+  def get_app(self):
+    return Application([('/relative', AuthRedirectRequestHandler,
+                         dict(login_url='/login')),
+                        ('/absolute', AuthRedirectRequestHandler,
+                         dict(login_url='http://example.com/login'))])
+
+  def test_relative_auth_redirect(self):
+    self.http_client.fetch(self.get_url('/relative'), self.stop,
+                           follow_redirects=False)
+    response = self.wait()
+    self.assertEqual(response.code, 302)
+    self.assertEqual(response.headers['Location'], '/login?next=%2Frelative')
+
+  def test_absolute_auth_redirect(self):
+    self.http_client.fetch(self.get_url('/absolute'), self.stop,
+                           follow_redirects=False)
+    response = self.wait()
+    self.assertEqual(response.code, 302)
+    self.assertTrue(re.match(
+        'http://example.com/login\?next=http%3A%2F%2Flocalhost%3A[0-9]+%2Fabsolute',
+        response.headers['Location']), response.headers['Location'])
diff --git a/tornado/test/runtests.py b/tornado/test/runtests.py
index 36243589f..383119497 100755
--- a/tornado/test/runtests.py
+++ b/tornado/test/runtests.py
@@ -3,6 +3,7 @@ import unittest
 
 TEST_MODULES = [
     'tornado.httputil.doctests',
+    'tornado.test.httpserver_test',
     'tornado.test.ioloop_test',
     'tornado.test.stack_context_test',
     'tornado.test.testing_test',
diff --git a/tornado/web.py b/tornado/web.py
index fd2158e23..92032a0b0 100644
--- a/tornado/web.py
+++ b/tornado/web.py
@@ -1372,7 +1372,12 @@ def authenticated(method):
             if self.request.method == "GET":
                 url = self.get_login_url()
                 if "?" not in url:
-                    url += "?" + urllib.urlencode(dict(next=self.request.uri))
+                    if urlparse.urlsplit(url).scheme:
+                        # if login url is absolute, make next absolute too
+                        next_url = self.request.full_url()
+                    else:
+                        next_url = self.request.uri
+                    url += "?" + urllib.urlencode(dict(next=next_url))
                 self.redirect(url)
                 return
             raise HTTPError(403)