Fix open redirect in sessions controller

The after_sign_in_path_for method returned params[:redir] directly when it didn't start with CONSOLE_URL, allowing redirects to any external URL after login. Now falls through to super for non-console URLs.
2 months ago · d28696f43d
parent 744d45d2c5
commit d28696f43d
1 changed files with 0 additions and 2 deletions
--- a/app/controllers/sessions_controller.rb
+++ b/app/controllers/sessions_controller.rb
@ -27,8 +27,6 @@ class SessionsController < Devise::SessionsController
  def after_sign_in_path_for(...)
    if params[:redir].present?
      return console_redirect_index_path(redir: params[:redir]) if params[:redir].starts_with?(Docuseal::CONSOLE_URL)
-
-      return params[:redir]
    end

    super