[6.x] Fix elevated session redirect for POST endpoints

[jasonvarga]

Summary

When a user submits a POST request to an endpoint protected by RequireElevatedSession without an elevated session, they're redirected to the password confirmation page. After confirming, redirect()->intended() sends them back to the original URL as a GET, which typically results in 405 Method Not Allowed (or lands on an unrelated GET handler).

The cause: ElevatedSessionAuthorizationException was calling setIntendedUrl($request->fullUrl()) — for a POST, that's the POST-only endpoint.

This change uses the Referer header as the intended URL for non-GET requests, so the user lands back on the form page and can resubmit. External referers are rejected via URL::isExternalToApplication, and if the referer is missing/external we fall back to fullUrl(). GET behavior is unchanged.

Noticed in the 2FA flow (POST /!/auth/two-factor/enable) but the fix is general and benefits any POST endpoint behind RequireElevatedSession.

Test plan

• POST to a protected endpoint with a valid Referer → intended URL is the referer
• POST with an external Referer → falls back to fullUrl()
• POST with no Referer → falls back to fullUrl()
• GET to a protected endpoint → intended URL is still fullUrl() (unchanged)
• Full tests/Auth/ElevatedSessionTest.php suite passes
• --group 2fa suite passes