fix: stabilize quick win redirects and task ownership
This commit is contained in:
+22
-5
@@ -113,6 +113,23 @@ def _redirect_with_celebration(target_url: str, points: int | None = None):
|
||||
return redirect(redirect_url)
|
||||
|
||||
|
||||
def _safe_referrer_target(fallback: str) -> str:
|
||||
referrer = request.referrer
|
||||
if not referrer:
|
||||
return fallback
|
||||
|
||||
parts = urlsplit(referrer)
|
||||
if parts.netloc and parts.netloc != request.host:
|
||||
return fallback
|
||||
|
||||
query = dict(parse_qsl(parts.query, keep_blank_values=True))
|
||||
query.pop("celebrate_points", None)
|
||||
target = urlunsplit(("", "", parts.path or fallback, urlencode(query), parts.fragment))
|
||||
if not target.startswith("/") or len(target) > 1200:
|
||||
return fallback
|
||||
return target
|
||||
|
||||
|
||||
@bp.route("/my-tasks")
|
||||
@login_required
|
||||
def my_tasks():
|
||||
@@ -293,7 +310,7 @@ def quick_create():
|
||||
flash(error, "error")
|
||||
for error in extra_errors:
|
||||
flash(error, "error")
|
||||
return redirect(request.referrer or url_for("tasks.my_tasks"))
|
||||
return redirect(_safe_referrer_target(url_for("tasks.my_tasks")))
|
||||
task = create_quick_task(custom_title, form.effort.data, current_user, description="Quick-Win")
|
||||
complete_task(task, current_user.id)
|
||||
created_titles.append(task.title)
|
||||
@@ -301,14 +318,14 @@ def quick_create():
|
||||
|
||||
if not created_titles:
|
||||
flash("Bitte wähle mindestens einen Quick-Win aus.", "error")
|
||||
return redirect(request.referrer or url_for("tasks.my_tasks"))
|
||||
return redirect(_safe_referrer_target(url_for("tasks.my_tasks")))
|
||||
|
||||
if len(created_titles) == 1:
|
||||
flash(f"Quick-Win „{created_titles[0]}“ wurde als erledigt gespeichert.", "success")
|
||||
else:
|
||||
flash(f"{len(created_titles)} Quick-Wins wurden als erledigt gespeichert.", "success")
|
||||
return _redirect_with_celebration(
|
||||
request.referrer or url_for("tasks.my_tasks"),
|
||||
_safe_referrer_target(url_for("tasks.my_tasks")),
|
||||
total_points,
|
||||
)
|
||||
|
||||
@@ -360,7 +377,7 @@ def complete(task_id: int):
|
||||
choice = request.form.get("completed_for", "me")
|
||||
if task.is_completed:
|
||||
flash("Diese Aufgabe ist bereits erledigt.", "info")
|
||||
return redirect(request.referrer or url_for("tasks.my_tasks"))
|
||||
return redirect(_safe_referrer_target(url_for("tasks.my_tasks")))
|
||||
|
||||
completed_by_id = current_user.id
|
||||
allowed_ids = {current_user.id}
|
||||
@@ -377,7 +394,7 @@ def complete(task_id: int):
|
||||
complete_task(task, completed_by_id)
|
||||
flash("Punkte verbucht. Gute Arbeit.", "success")
|
||||
return _redirect_with_celebration(
|
||||
request.referrer or url_for("tasks.my_tasks"),
|
||||
_safe_referrer_target(url_for("tasks.my_tasks")),
|
||||
awarded_points,
|
||||
)
|
||||
|
||||
|
||||
Reference in New Issue
Block a user