Fixes #31934 - correct redirection after user update
Saving the existing user form can lead to 404 under specific circumstances. The reason is, we rely on HTTP Referer header to return the user to where he entered the form from. This can be problematic in case they had to resubmit the form because of validation error. That sets /users/$id in the referer, however that route is only defined with PATCH. The rails support for `return_back` does not take the HTTP method into the consideration, therefore user is routed back to GET /users/$id. Such route does not exist. The exact steps to reproduce
1) login as a user without email address, make sure you have access to /users/index which is checked before redirecting 2) when you enter the form, create the poisoned Referer header by submitting invalid form (e.g. empty email) 3) submit the form with valid data now 4) rails redirects you to previous page through /users/login and verification before filter, in this case the page does not exists
This could be a problem elsewhere too, one can enter the page from other page which is not accesible through GET. Therefore if the user has permissions for user index page, we should redirect him or her to this page (even though this may not be the page they come from). If they don't have permission, we redirect them to the default landing page.
The impact is when I e.g. enter "My Account" from Subnets list, I'll end up on Users list after I save my changes. I think that's acceptable comparing to issues I'd see if I enter "My Account" from any invalid form (and other pages).
Related issues
Bug #31934: User redirection does not work under certain conditions
Added by Marek Hulán over 3 years ago
Fixes #31934 - correct redirection after user update
Saving the existing user form can lead to 404 under specific
circumstances. The reason is, we rely on HTTP Referer header to return
the user to where he entered the form from. This can be problematic in
case they had to resubmit the form because of validation error. That
sets /users/$id in the referer, however that route is only defined with
PATCH. The rails support for `return_back` does not take the HTTP method
into the consideration, therefore user is routed back to GET
/users/$id. Such route does not exist. The exact steps to reproduce
1) login as a user without email address, make sure you have access to
/users/index which is checked before redirecting
2) when you enter the form, create the poisoned Referer header by
submitting invalid form (e.g. empty email)
3) submit the form with valid data now
4) rails redirects you to previous page through /users/login and
verification before filter, in this case the page does not exists
This could be a problem elsewhere too, one can enter the page from other
page which is not accesible through GET. Therefore if the user has
permissions for user index page, we should redirect him or her to this
page (even though this may not be the page they come from). If they
don't have permission, we redirect them to the default landing page.
The impact is when I e.g. enter "My Account" from Subnets list, I'll end
up on Users list after I save my changes. I think that's acceptable
comparing to issues I'd see if I enter "My Account" from any invalid
form (and other pages).