FIX: never redirect back to /sso it will cause a loop

If for any reason our return url is set to `/sso` bypass using it for login redirect
2025-05-21 18:12:32 +08:00 · 2018-11-09 14:27:36 +11:00
parent 515e103db6
commit e6b3310577
2 changed files with 15 additions and 0 deletions
--- a/app/controllers/session_controller.rb
+++ b/app/controllers/session_controller.rb
@ -168,6 +168,11 @@ class SessionController < ApplicationController
          end
        end

+        # never redirects back to sso in an sso loop
+        if return_path.start_with?(path("/sso"))
+          return_path = path("/")
+        end
+
        redirect_to return_path
      else
        render_sso_error(text: I18n.t("sso.not_found"), status: 500)