Merge 0595e47 into 69b3849

Flask-Middleware · Dec 1, 2019 · 792865b · 792865b
2 parents 69b3849 + 0595e47
commit 792865b
Show file tree

Hide file tree

Showing 3 changed files with 38 additions and 12 deletions.
diff --git a/flask_security/utils.py b/flask_security/utils.py
@@ -367,8 +367,8 @@ def validate_redirect_url(url):
 
 def get_post_action_redirect(config_key, declared=None):
     urls = [
-        get_url(request.args.get("next")),
-        get_url(request.form.get("next")),
+        get_url(request.args.get("next", None)),
+        get_url(request.form.get("next", None)),
         find_redirect(config_key),
     ]
     if declared:

diff --git a/flask_security/views.py b/flask_security/views.py
@@ -212,16 +212,21 @@ def login():
         after_this_request(_commit)
 
         if not request.is_json:
-            return redirect(get_post_login_redirect(form.next.data))
+            return redirect(get_post_login_redirect())
 
     if _security._want_json(request):
         if current_user.is_authenticated:
             form.user = current_user
         return _base_render_json(form, include_auth_token=True)
 
-    return _security.render_template(
-        config_value("LOGIN_USER_TEMPLATE"), login_user_form=form, **_ctx("login")
-    )
+    if current_user.is_authenticated:
+        # Basically a no-op if authenticated - just perform the same
+        # post-login redirect as if user just logged in.
+        return redirect(get_post_login_redirect())
+    else:
+        return _security.render_template(
+            config_value("LOGIN_USER_TEMPLATE"), login_user_form=form, **_ctx("login")
+        )
 
 
 def logout():
@@ -264,12 +269,7 @@ def register():
             did_login = True
 
         if not request.is_json:
-            if "next" in form:
-                redirect_url = get_post_register_redirect(form.next.data)
-            else:
-                redirect_url = get_post_register_redirect()
-
-            return redirect(redirect_url)
+            return redirect(get_post_register_redirect())
 
         # Only include auth token if in fact user is permitted to login
         return _base_render_json(form, include_auth_token=did_login)

diff --git a/tests/test_common.py b/tests/test_common.py
@@ -70,6 +70,32 @@ def test_authenticate_with_invalid_input(client, get_message):
     assert get_message("EMAIL_NOT_PROVIDED") in response.data
 
 
+@pytest.mark.settings(post_login_view="/post_login")
+def test_get_already_authenticated(client):
+    response = authenticate(client, follow_redirects=True)
+    assert b"Welcome matt@lp.com" in response.data
+    response = client.get("/login", follow_redirects=True)
+    assert b"Post Login" in response.data
+
+
+@pytest.mark.settings(post_login_view="/post_login")
+def test_get_already_authenticated_next(client):
+    response = authenticate(client, follow_redirects=True)
+    assert b"Welcome matt@lp.com" in response.data
+    # This should override post_login_view
+    response = client.get("/login?next=/page1", follow_redirects=True)
+    assert b"Page 1" in response.data
+
+
+@pytest.mark.settings(post_login_view="/post_login")
+def test_post_already_authenticated(client):
+    response = authenticate(client, follow_redirects=True)
+    assert b"Welcome matt@lp.com" in response.data
+    data = dict(email="matt@lp.com", password="password")
+    response = client.post("/login", data=data, follow_redirects=True)
+    assert b"Post Login" in response.data
+
+
 def test_login_form(client):
     response = client.post("/login", data={"email": "matt@lp.com"})
     assert b"matt@lp.com" in response.data