6 лет назад · 4972e428aa
--- a/CHANGES.md
+++ b/CHANGES.md
@@ -1,15 +1,23 @@
 
				 # CHANGES
			
 
				 
			
 
				-## v3.6.9-RC
			
 
				+## v3.6.10
			
 
				 
			
 
				 *
			
 
				 
			
 
				+## v3.6.9
			
 
				+
			
 
				+* Improvement: Redirection when login/logout
			
 
				+* Improvement: Add home icon before '/'
			
 
				+* Fix: Client crashed when the first login
			
 
				+    * Introduced by 3.6.8
			
 
				+
			
 
				 ## v3.6.8
			
 
				 
			
 
				 * Improvement: Show page history side-by-side
			
 
				 * Improvement: Optimize markdown rendering
			
 
				 * Improvement: Reactify admin pages (Navigation)
			
 
				 * Fix: Reply comments collapsed are broken
			
 
				+    * Introduced by 3.6.7
			
 
				 * Support: Update libs
			
 
				     * cross-env
			
 
				     * mkdirp
			
--- a/config/logger/config.dev.js
+++ b/config/logger/config.dev.js
@@ -14,6 +14,7 @@ module.exports = {
 
				   'growi:models:external-account': 'debug',
			
 
				   // 'growi:routes:login': 'debug',
			
 
				   'growi:routes:login-passport': 'debug',
			
 
				+  'growi:middleware:safe-redirect': 'debug',
			
 
				   'growi:service:PassportService': 'debug',
			
 
				   // 'growi:service:ConfigManager': 'debug',
			
 
				   'growi:lib:search': 'debug',
			
--- a/package.json
+++ b/package.json
@@ -1,6 +1,6 @@
 
				 {
			
 
				   "name": "growi",
			
 
				-  "version": "3.6.8-RC",
			
 
				+  "version": "3.6.9-RC",
			
 
				   "description": "Team collaboration software using markdown",
			
 
				   "tags": [
			
 
				     "wiki",
			
--- a/resource/locales/en-US/translation.json
+++ b/resource/locales/en-US/translation.json
@@ -46,6 +46,7 @@
 
				   "Timeline View": "Timeline",
			
 
				   "History": "History",
			
 
				   "Presentation Mode": "Presentation",
			
 
				+  "Not available for guest": "Not available for guest",
			
 
				   "username": "Username",
			
 
				   "Created": "Created",
			
 
				   "Last updated": "Updated",
			
--- a/resource/locales/ja/translation.json
+++ b/resource/locales/ja/translation.json
@@ -46,6 +46,7 @@
 
				   "Timeline View": "タイムライン表示",
			
 
				   "History": "更新履歴",
			
 
				   "Presentation Mode": "プレゼンテーション",
			
 
				+  "Not available for guest": "ゲストユーザーは利用できません",
			
 
				   "username": "ユーザー名",
			
 
				   "Created": "作成日",
			
 
				   "Last updated": "最終更新",
			
--- a/src/client/js/components/Admin/Users/RemoveAdminButton.jsx
+++ b/src/client/js/components/Admin/Users/RemoveAdminButton.jsx
@@ -51,11 +51,11 @@ class RemoveAdminButton extends React.Component {
 
				 
			
 
				   render() {
			
 
				     const { user } = this.props;
			
 
				-    const me = this.props.appContainer.me;
			
 
				+    const { currentUsername } = this.props.appContainer;
			
 
				 
			
 
				     return (
			
 
				       <Fragment>
			
 
				-        {user.username !== me ? this.renderRemoveAdminBtn()
			
 
				+        {user.username !== currentUsername ? this.renderRemoveAdminBtn()
			
 
				           : this.renderRemoveAdminAlert()}
			
 
				       </Fragment>
			
 
				     );
			
--- a/src/client/js/components/Admin/Users/StatusSuspendedButton.jsx
+++ b/src/client/js/components/Admin/Users/StatusSuspendedButton.jsx
@@ -50,11 +50,11 @@ class StatusSuspendedButton extends React.Component {
 
				 
			
 
				   render() {
			
 
				     const { user } = this.props;
			
 
				-    const me = this.props.appContainer.me;
			
 
				+    const { currentUsername } = this.props.appContainer;
			
 
				 
			
 
				     return (
			
 
				       <Fragment>
			
 
				-        {user.username !== me ? this.renderSuspendedBtn()
			
 
				+        {user.username !== currentUsername ? this.renderSuspendedBtn()
			
 
				           : this.renderSuspendedAlert()}
			
 
				       </Fragment>
			
 
				     );
			
--- a/src/client/js/components/BookmarkButton.jsx
+++ b/src/client/js/components/BookmarkButton.jsx
@@ -56,7 +56,7 @@ export default class BookmarkButton extends React.Component {
 
				   }
			
 
				 
			
 
				   isUserLoggedIn() {
			
 
				-    return this.props.crowi.me != null;
			
 
				+    return this.props.crowi.currentUserId != null;
			
 
				   }
			
 
				 
			
 
				   render() {
			
--- a/src/client/js/components/LikeButton.jsx
+++ b/src/client/js/components/LikeButton.jsx
@@ -37,7 +37,7 @@ class LikeButton extends React.Component {
 
				   }
			
 
				 
			
 
				   isUserLoggedIn() {
			
 
				-    return this.props.appContainer.me != null;
			
 
				+    return this.props.appContainer.currentUserId != null;
			
 
				   }
			
 
				 
			
 
				   render() {
			
--- a/src/client/js/components/Navbar/PersonalDropdown.jsx
+++ b/src/client/js/components/Navbar/PersonalDropdown.jsx
@@ -11,8 +11,7 @@ import UserPicture from '../User/UserPicture';
 
				 const PersonalDropdown = (props) => {
			
 
				 
			
 
				   const { t, appContainer } = props;
			
 
				-  const username = appContainer.me;
			
 
				-  const user = appContainer.findUser(username);
			
 
				+  const user = appContainer.currentUser || {};
			
 
				 
			
 
				   const logoutHandler = () => {
			
 
				     const { interceptorManager } = appContainer;
			
--- a/src/client/js/components/Page/RevisionPath.jsx
+++ b/src/client/js/components/Page/RevisionPath.jsx
@@ -100,9 +100,6 @@ class RevisionPath extends React.Component {
 
				 
			
 
				   render() {
			
 
				     // define styles
			
 
				-    const rootStyle = {
			
 
				-      marginRight: '0.2em',
			
 
				-    };
			
 
				     const separatorStyle = {
			
 
				       marginLeft: '0.2em',
			
 
				       marginRight: '0.2em',
			
@@ -115,6 +112,26 @@ class RevisionPath extends React.Component {
 
				     const { isInTrash } = this.state;
			
 
				     const pageLength = this.state.pages.length;
			
 
				 
			
 
				+    const rootElement = isInTrash
			
 
				+      ? (
			
 
				+        <>
			
 
				+          <span className="path-segment">
			
 
				+            <a href="/trash"><i className="icon-trash"></i></a>
			
 
				+          </span>
			
 
				+          <span className="separator" style={separatorStyle}><a href="/">/</a></span>
			
 
				+        </>
			
 
				+      )
			
 
				+      : (
			
 
				+        <>
			
 
				+          <span className="path-segment">
			
 
				+            <a href="/">
			
 
				+              <i className="icon-home"></i>
			
 
				+              <span className="separator" style={separatorStyle}>/</span>
			
 
				+            </a>
			
 
				+          </span>
			
 
				+        </>
			
 
				+      );
			
 
				+
			
 
				     const afterElements = [];
			
 
				     this.state.pages.forEach((page, index) => {
			
 
				       const isLastElement = (index === pageLength - 1);
			
@@ -136,14 +153,8 @@ class RevisionPath extends React.Component {
 
				 
			
 
				     return (
			
 
				       <span className="d-flex align-items-center">
			
 
				-        { isInTrash && (
			
 
				-          <span className="path-segment">
			
 
				-            <a href="/trash"><i className="icon-trash"></i></a>
			
 
				-          </span>
			
 
				-        ) }
			
 
				-        <span className="separator" style={isInTrash ? separatorStyle : rootStyle}>
			
 
				-          <a href="/">/</a>
			
 
				-        </span>
			
 
				+
			
 
				+        {rootElement}
			
 
				         {afterElements}
			
 
				 
			
 
				         <CopyDropdown t={this.props.t} pagePath={this.props.pagePath} pageId={this.props.pageId} buttonStyle={buttonStyle}></CopyDropdown>
			
--- a/src/client/js/components/PageAttachment.jsx
+++ b/src/client/js/components/PageAttachment.jsx
@@ -89,7 +89,7 @@ class PageAttachment extends React.Component {
 
				   }
			
 
				 
			
 
				   isUserLoggedIn() {
			
 
				-    return this.props.appContainer.me != null;
			
 
				+    return this.props.appContainer.currentUser != null;
			
 
				   }
			
 
				 
			
 
				   render() {
			
--- a/src/client/js/components/PageComment/Comment.jsx
+++ b/src/client/js/components/PageComment/Comment.jsx
@@ -80,7 +80,7 @@ class Comment extends React.PureComponent {
 
				   }
			
 
				 
			
 
				   isCurrentUserEqualsToAuthor() {
			
 
				-    return this.props.comment.creator.username === this.props.appContainer.me;
			
 
				+    return this.props.comment.creator.username === this.props.appContainer.currentUsername;
			
 
				   }
			
 
				 
			
 
				   isCurrentRevision() {
			
--- a/src/client/js/components/PageComment/CommentEditor.jsx
+++ b/src/client/js/components/PageComment/CommentEditor.jsx
@@ -212,8 +212,6 @@ class CommentEditor extends React.Component {
 
				 
			
 
				   render() {
			
 
				     const { appContainer, commentContainer } = this.props;
			
 
				-    const username = appContainer.me;
			
 
				-    const user = appContainer.findUser(username);
			
 
				     const commentPreview = this.state.isMarkdown ? this.getCommentHtml() : null;
			
 
				     const emojiStrategy = appContainer.getEmojiStrategy();
			
 
				 
			
@@ -236,7 +234,7 @@ class CommentEditor extends React.Component {
 
				         <div className="comment-form">
			
 
				           { isBaloonStyle && (
			
 
				             <div className="comment-form-user">
			
 
				-              <UserPicture user={user} />
			
 
				+              <UserPicture user={appContainer.currentUser} />
			
 
				             </div>
			
 
				           ) }
			
 
				           <div className="comment-form-main">
			
--- a/src/client/js/components/PageComment/CommentEditorLazyRenderer.jsx
+++ b/src/client/js/components/PageComment/CommentEditorLazyRenderer.jsx
@@ -27,9 +27,8 @@ class CommentEditorLazyRenderer extends React.Component {
 
				 
			
 
				   render() {
			
 
				     const { appContainer } = this.props;
			
 
				-    const username = appContainer.me;
			
 
				-    const isLoggedIn = username != null;
			
 
				-    const user = appContainer.findUser(username);
			
 
				+    const user = appContainer.currentUser;
			
 
				+    const isLoggedIn = user != null;
			
 
				 
			
 
				     const layoutType = this.props.appContainer.getConfig().layoutType;
			
 
				     const isBaloonStyle = layoutType.match(/crowi-plus|growi|kibela/);
			
--- a/src/client/js/components/PageComments.jsx
+++ b/src/client/js/components/PageComments.jsx
@@ -128,7 +128,7 @@ class PageComments extends React.Component {
 
				   renderThread(comment, replies) {
			
 
				     const commentId = comment._id;
			
 
				     const showEditor = this.state.showEditorIds.has(commentId);
			
 
				-    const isLoggedIn = this.props.appContainer.me != null;
			
 
				+    const isLoggedIn = this.props.appContainer.currentUser != null;
			
 
				 
			
 
				     let rootClassNames = 'page-comment-thread';
			
 
				     if (replies.length === 0) {
			
--- a/src/client/js/components/RecentCreated/RecentCreated.jsx
+++ b/src/client/js/components/RecentCreated/RecentCreated.jsx
@@ -37,7 +37,7 @@ class RecentCreated extends React.Component {
 
				     const { appContainer, pageContainer } = this.props;
			
 
				     const { pageId } = pageContainer.state;
			
 
				 
			
 
				-    const userId = appContainer.me;
			
 
				+    const userId = appContainer.currentUserId;
			
 
				     const limit = appContainer.getConfig().recentCreatedLimit;
			
 
				     const offset = (selectPageNumber - 1) * limit;
			
 
				 
			
--- a/src/client/js/legacy/crowi.js
+++ b/src/client/js/legacy/crowi.js
@@ -596,6 +596,11 @@ $(() => {
 
				 window.addEventListener('load', (e) => {
			
 
				   const { appContainer } = window;
			
 
				 
			
 
				+  // do nothing if user is guest
			
 
				+  if (appContainer.currentUser == null) {
			
 
				+    return;
			
 
				+  }
			
 
				+
			
 
				   // hash on page
			
 
				   if (window.location.hash) {
			
 
				     if ((window.location.hash === '#edit' || window.location.hash === '#edit-form') && $('.tab-pane#edit').length > 0) {
			
@@ -619,7 +624,9 @@ window.addEventListener('load', (e) => {
 
				       $('a[data-toggle="tab"][href="#revision-history"]').tab('show');
			
 
				     }
			
 
				   }
			
 
				+});
			
 
				 
			
 
				+window.addEventListener('load', (e) => {
			
 
				   const crowi = window.crowi;
			
 
				   if (crowi && crowi.users && crowi.users.length !== 0) {
			
 
				     const totalUsers = crowi.users.length;
			
--- a/src/client/js/services/AppContainer.js
+++ b/src/client/js/services/AppContainer.js
@@ -31,13 +31,17 @@ export default class AppContainer extends Container {
 
				 
			
 
				     const body = document.querySelector('body');
			
 
				 
			
 
				-    this.me = body.dataset.currentUsername || null; // will be initialized with null when data is empty string
			
 
				     this.isAdmin = body.dataset.isAdmin === 'true';
			
 
				     this.csrfToken = body.dataset.csrftoken;
			
 
				     this.isPluginEnabled = body.dataset.pluginEnabled === 'true';
			
 
				     this.isLoggedin = document.querySelector('.main-container.nologin') == null;
			
 
				 
			
 
				-    this.config = JSON.parse(document.getElementById('crowi-context-hydrate').textContent || '{}');
			
 
				+    this.config = JSON.parse(document.getElementById('growi-context-hydrate').textContent || '{}');
			
 
				+
			
 
				+    const currentUserElem = document.getElementById('growi-current-user');
			
 
				+    if (currentUserElem != null) {
			
 
				+      this.currentUser = JSON.parse(currentUserElem.textContent);
			
 
				+    }
			
 
				 
			
 
				     const userAgent = window.navigator.userAgent.toLowerCase();
			
 
				     this.isMobile = /iphone|ipad|android/.test(userAgent);
			
@@ -107,6 +111,20 @@ export default class AppContainer extends Container {
 
				     window.crowiPlugin = window.growiPlugin;
			
 
				   }
			
 
				 
			
 
				+  get currentUserId() {
			
 
				+    if (this.currentUser == null) {
			
 
				+      return null;
			
 
				+    }
			
 
				+    return this.currentUser._id;
			
 
				+  }
			
 
				+
			
 
				+  get currentUsername() {
			
 
				+    if (this.currentUser == null) {
			
 
				+      return null;
			
 
				+    }
			
 
				+    return this.currentUser.username;
			
 
				+  }
			
 
				+
			
 
				   /**
			
 
				    * @return {Object} window.Crowi (js/legacy/crowi.js)
			
 
				    */
			
@@ -271,14 +289,6 @@ export default class AppContainer extends Container {
 
				     return users;
			
 
				   }
			
 
				 
			
 
				-  findUser(username) {
			
 
				-    if (this.userByName && this.userByName[username]) {
			
 
				-      return this.userByName[username];
			
 
				-    }
			
 
				-
			
 
				-    return null;
			
 
				-  }
			
 
				-
			
 
				   launchHandsontableModal(componentKind, beginLineNumber, endLineNumber) {
			
 
				     let targetComponent;
			
 
				     switch (componentKind) {
			
--- a/src/client/styles/scss/style-app.scss
+++ b/src/client/styles/scss/style-app.scss
@@ -48,7 +48,7 @@
 
				 /*
			
 
				  * for Guest User Mode
			
 
				  */
			
 
				-.dropdown-disabled {
			
 
				+.dropdown-toggle.dropdown-toggle-disabled {
			
 
				   cursor: not-allowed;
			
 
				 }
			
 
				 
			
--- a/src/linter-checker/test.js
+++ b/src/linter-checker/test.js
@@ -1,13 +1,15 @@
 
				 /*
			
 
				  * VSCode の Eslint 設定チェック方法
			
 
				  *
			
 
				- * 1. VSCode で以下のエラーが表示されていることを確認
			
 
				+ * 1. .eslilntignore ファイル中の `/src/linter-checker/**` 行を消す
			
 
				+ * 
			
 
				+ * 2. VSCode で以下のエラーが表示されていることを確認
			
 
				  *   - constructor で eslint(space-before-blocks)
			
 
				  *   - ファイル末尾の ";" で eslint(eol-last)
			
 
				  *
			
 
				- * 2. VSCode で上書き保存
			
 
				+ * 3. VSCode で上書き保存
			
 
				  *
			
 
				- * 3. 以下のように整形され、全てのエラーが消えていることを確認
			
 
				+ * 4. 以下のように整形され、全てのエラーが消えていることを確認
			
 
				  *   - "constructor() {" のように間にスペースが入る
			
 
				  *   - ファイル末尾に空行が入る
			
 
				  *
			
--- a/src/linter-checker/test.scss
+++ b/src/linter-checker/test.scss
@@ -1,13 +1,15 @@
 
				 /*
			
 
				  * VSCode の Stylelint 設定チェック方法
			
 
				  *
			
 
				- * 1. VSCode で以下のエラーが表示されていることを確認
			
 
				+ * 1. .stylelintrc.json ファイル中の `src/linter-checker/test.scss` 行を削除
			
 
				+ * 
			
 
				+ * 2. VSCode で以下のエラーが表示されていることを確認
			
 
				  *   - color で stylelint(order/properties-order)
			
 
				  *   - ul で stylelint(selector-combinator-space-after)
			
 
				  *
			
 
				- * 2. VSCode で上書き保存
			
 
				+ * 3. VSCode で上書き保存
			
 
				  *
			
 
				- * 3. 以下のように整形され、全てのエラーが消えていることを確認
			
 
				+ * 4. 以下のように整形され、全てのエラーが消えていることを確認
			
 
				  *   - color が background の上の行にくる
			
 
				  *   - ul と li の間にスペースが入る
			
 
				  *
			
--- a/src/server/crowi/express-init.js
+++ b/src/server/crowi/express-init.js
@@ -19,6 +19,8 @@ module.exports = function(crowi, app) {
 
				   const i18nSprintf = require('i18next-sprintf-postprocessor');
			
 
				   const i18nMiddleware = require('i18next-express-middleware');
			
 
				 
			
 
				+  const safeRedirect = require('../middleware/safe-redirect')();
			
 
				+
			
 
				   const avoidSessionRoutes = require('../routes/avoid-session-routes');
			
 
				   const i18nUserSettingDetector = require('../util/i18nUserSettingDetector');
			
 
				 
			
@@ -113,6 +115,8 @@ module.exports = function(crowi, app) {
 
				 
			
 
				   app.use(flash());
			
 
				 
			
 
				+  app.use(safeRedirect);
			
 
				+
			
 
				   const middlewares = require('../util/middlewares')(crowi, app);
			
 
				 
			
 
				   app.use(middlewares.swigFilters(swig));
			
--- a/src/server/middleware/access-token-parser.js
+++ b/src/server/middleware/access-token-parser.js
@@ -16,7 +16,9 @@ module.exports = (crowi) => {
 
				     logger.debug('accessToken is', accessToken);
			
 
				 
			
 
				     const user = await User.findUserByApiToken(accessToken);
			
 
				-    req.user = user;
			
 
				+    // transforming attributes
			
 
				+    // see User model
			
 
				+    req.user = user.toObject();
			
 
				     req.skipCsrfVerify = true;
			
 
				 
			
 
				     logger.debug('Access token parsed: skipCsrfVerify');
			
--- a/src/server/middleware/login-required.js
+++ b/src/server/middleware/login-required.js
@@ -42,7 +42,7 @@ module.exports = (crowi, isGuestAllowed = false) => {
 
				       return res.sendStatus(403);
			
 
				     }
			
 
				 
			
 
				-    req.session.jumpTo = req.originalUrl;
			
 
				+    req.session.redirectTo = req.originalUrl;
			
 
				     return res.redirect('/login');
			
 
				   };
			
 
				 
			
--- a/src/server/middleware/safe-redirect.js
+++ b/src/server/middleware/safe-redirect.js
@@ -0,0 +1,65 @@
 
				+/**
			
 
				+ * Redirect with prevention from Open Redirect
			
 
				+ *
			
 
				+ * Usage: app.use(require('middleware/safe-redirect')(['example.com', 'some.example.com:8080']))
			
 
				+ */
			
 
				+
			
 
				+const loggerFactory = require('@alias/logger');
			
 
				+
			
 
				+const logger = loggerFactory('growi:middleware:safe-redirect');
			
 
				+
			
 
				+/**
			
 
				+ * Check whether the redirect url host is in specified whitelist
			
 
				+ * @param {Array<string>} whitelistOfHosts
			
 
				+ * @param {string} redirectToFqdn
			
 
				+ */
			
 
				+function isInWhitelist(whitelistOfHosts, redirectToFqdn) {
			
 
				+  if (whitelistOfHosts == null || whitelistOfHosts.length === 0) {
			
 
				+    return false;
			
 
				+  }
			
 
				+
			
 
				+  const redirectUrl = new URL(redirectToFqdn);
			
 
				+  return whitelistOfHosts.includes(redirectUrl.hostname) || whitelistOfHosts.includes(redirectUrl.host);
			
 
				+}
			
 
				+
			
 
				+
			
 
				+module.exports = (whitelistOfHosts) => {
			
 
				+
			
 
				+  return function(req, res, next) {
			
 
				+
			
 
				+    // extend res object
			
 
				+    res.safeRedirect = function(redirectTo) {
			
 
				+      if (redirectTo == null) {
			
 
				+        return res.redirect('/');
			
 
				+      }
			
 
				+
			
 
				+      try {
			
 
				+        // check inner redirect
			
 
				+        const redirectUrl = new URL(redirectTo, `${req.protocol}://${req.get('host')}`);
			
 
				+        if (redirectUrl.hostname === req.hostname) {
			
 
				+          logger.debug(`Requested redirect URL (${redirectTo}) is local.`);
			
 
				+          return res.redirect(redirectUrl.href);
			
 
				+        }
			
 
				+        logger.debug(`Requested redirect URL (${redirectTo}) is NOT local.`);
			
 
				+
			
 
				+        // check whitelisted redirect
			
 
				+        const isWhitelisted = isInWhitelist(whitelistOfHosts, redirectTo);
			
 
				+        if (isWhitelisted) {
			
 
				+          logger.debug(`Requested redirect URL (${redirectTo}) is in whitelist.`, `whitelist=${whitelistOfHosts}`);
			
 
				+          return res.redirect(redirectTo);
			
 
				+        }
			
 
				+        logger.debug(`Requested redirect URL (${redirectTo}) is NOT in whitelist.`, `whitelist=${whitelistOfHosts}`);
			
 
				+      }
			
 
				+      catch (err) {
			
 
				+        logger.warn(`Requested redirect URL (${redirectTo}) is invalid.`, err);
			
 
				+      }
			
 
				+
			
 
				+      logger.warn(`Requested redirect URL (${redirectTo}) is UNSAFE, redirecting to root page.`);
			
 
				+      return res.redirect('/');
			
 
				+    };
			
 
				+
			
 
				+    next();
			
 
				+
			
 
				+  };
			
 
				+
			
 
				+};
			
--- a/src/server/models/page.js
+++ b/src/server/models/page.js
@@ -214,7 +214,7 @@ class PageQueryBuilder {
 
				     return this;
			
 
				   }
			
 
				 
			
 
				-  addConditionToFilteringByViewer(user, userGroups, showAnyoneKnowsLink, showPagesRestrictedByOwner, showPagesRestrictedByGroup) {
			
 
				+  addConditionToFilteringByViewer(user, userGroups, showAnyoneKnowsLink = false, showPagesRestrictedByOwner = false, showPagesRestrictedByGroup = false) {
			
 
				     const grantConditions = [
			
 
				       { grant: null },
			
 
				       { grant: GRANT_PUBLIC },
			
@@ -831,6 +831,27 @@ module.exports = function(crowi) {
 
				     return builder.addConditionToFilteringByViewer(user, userGroups, showAnyoneKnowsLink, !hidePagesRestrictedByOwner, !hidePagesRestrictedByGroup);
			
 
				   }
			
 
				 
			
 
				+  /**
			
 
				+   * Add condition that filter pages by viewer
			
 
				+   *  by considering Config
			
 
				+   *
			
 
				+   * @param {PageQueryBuilder} builder
			
 
				+   * @param {User} user
			
 
				+   * @param {boolean} showAnyoneKnowsLink
			
 
				+   */
			
 
				+  async function addConditionToFilteringByViewerToEdit(builder, user) {
			
 
				+    validateCrowi();
			
 
				+
			
 
				+    // determine UserGroup condition
			
 
				+    let userGroups = null;
			
 
				+    if (user != null) {
			
 
				+      const UserGroupRelation = crowi.model('UserGroupRelation');
			
 
				+      userGroups = await UserGroupRelation.findAllUserGroupIdsRelatedToUser(user);
			
 
				+    }
			
 
				+
			
 
				+    return builder.addConditionToFilteringByViewer(user, userGroups, false, false, false);
			
 
				+  }
			
 
				+
			
 
				   /**
			
 
				    * export addConditionToFilteringByViewerForList as static method
			
 
				    */
			
@@ -1038,7 +1059,7 @@ module.exports = function(crowi) {
 
				     builder.addConditionToExcludeRedirect();
			
 
				 
			
 
				     // add grant conditions
			
 
				-    await addConditionToFilteringByViewerForList(builder, user);
			
 
				+    await addConditionToFilteringByViewerToEdit(builder, user);
			
 
				 
			
 
				     // get all pages that the specified user can update
			
 
				     const pages = await builder.query.exec();
			
--- a/src/server/routes/index.js
+++ b/src/server/routes/index.js
@@ -47,14 +47,14 @@ module.exports = function(crowi, app) {
 
				   }
			
 
				 
			
 
				   app.get('/login/error/:reason'     , login.error);
			
 
				-  app.get('/login'                   , middlewares.applicationInstalled    , login.login);
			
 
				+  app.get('/login'                   , middlewares.applicationInstalled     , login.preLogin, login.login);
			
 
				   app.get('/login/invited'           , login.invited);
			
 
				   app.post('/login/activateInvited'  , form.invited                         , csrf, login.invited);
			
 
				   app.post('/login'                  , form.login                           , csrf, loginPassport.loginWithLocal, loginPassport.loginWithLdap, loginPassport.loginFailure);
			
 
				   app.post('/_api/login/testLdap'    , loginRequiredStrictly , form.login , loginPassport.testLdapCredentials);
			
 
				 
			
 
				   app.post('/register'               , form.register                        , csrf, login.register);
			
 
				-  app.get('/register'                , middlewares.applicationInstalled    , login.register);
			
 
				+  app.get('/register'                , middlewares.applicationInstalled     , login.preLogin, login.register);
			
 
				   app.get('/logout'                  , logout.logout);
			
 
				 
			
 
				   app.get('/admin'                          , loginRequiredStrictly , adminRequired , admin.index);
			
--- a/src/server/routes/login-passport.js
+++ b/src/server/routes/login-passport.js
@@ -4,7 +4,6 @@ module.exports = function(crowi, app) {
 
				   const debug = require('debug')('growi:routes:login-passport');
			
 
				   const logger = require('@alias/logger')('growi:routes:login-passport');
			
 
				   const passport = require('passport');
			
 
				-  const { URL } = require('url');
			
 
				   const ExternalAccount = crowi.model('ExternalAccount');
			
 
				   const passportService = crowi.passportService;
			
 
				 
			
@@ -22,25 +21,10 @@ module.exports = function(crowi, app) {
 
				       }
			
 
				     });
			
 
				 
			
 
				-    const jumpTo = req.session.jumpTo;
			
 
				-    if (jumpTo) {
			
 
				-      req.session.jumpTo = null;
			
 
				-
			
 
				-      // prevention from open redirect
			
 
				-      try {
			
 
				-        const redirectUrl = new URL(jumpTo, `${req.protocol}://${req.get('host')}`);
			
 
				-        if (redirectUrl.hostname === req.hostname) {
			
 
				-          return res.redirect(redirectUrl);
			
 
				-        }
			
 
				-        logger.warn('Requested redirect URL is invalid, redirect to root page');
			
 
				-      }
			
 
				-      catch (err) {
			
 
				-        logger.warn('Requested redirect URL is invalid, redirect to root page', err);
			
 
				-        return res.redirect('/');
			
 
				-      }
			
 
				-    }
			
 
				-
			
 
				-    return res.redirect('/');
			
 
				+    const { redirectTo } = req.session;
			
 
				+    // remove session.redirectTo
			
 
				+    delete req.session.redirectTo;
			
 
				+    return res.safeRedirect(redirectTo);
			
 
				   };
			
 
				 
			
 
				   /**
			
--- a/src/server/routes/login.js
+++ b/src/server/routes/login.js
@@ -15,7 +15,9 @@ module.exports = function(crowi, app) {
 
				   const actions = {};
			
 
				 
			
 
				   const loginSuccess = function(req, res, userData) {
			
 
				-    req.user = req.session.user = userData;
			
 
				+    // transforming attributes
			
 
				+    // see User model
			
 
				+    req.user = req.session.user = userData.toObject();
			
 
				 
			
 
				     // update lastLoginAt
			
 
				     userData.updateLastLoginAt(new Date(), (err, uData) => {
			
@@ -28,30 +30,10 @@ module.exports = function(crowi, app) {
 
				       return res.redirect('/me/password');
			
 
				     }
			
 
				 
			
 
				-    const jumpTo = req.session.jumpTo;
			
 
				-    if (jumpTo) {
			
 
				-      req.session.jumpTo = null;
			
 
				-
			
 
				-      // prevention from open redirect
			
 
				-      try {
			
 
				-        const redirectUrl = new URL(jumpTo, `${req.protocol}://${req.get('host')}`);
			
 
				-        if (redirectUrl.hostname === req.hostname) {
			
 
				-          return res.redirect(redirectUrl);
			
 
				-        }
			
 
				-        logger.warn('Requested redirect URL is invalid, redirect to root page');
			
 
				-      }
			
 
				-      catch (err) {
			
 
				-        logger.warn('Requested redirect URL is invalid, redirect to root page', err);
			
 
				-        return res.redirect('/');
			
 
				-      }
			
 
				-    }
			
 
				-
			
 
				-    return res.redirect('/');
			
 
				-  };
			
 
				-
			
 
				-  const loginFailure = function(req, res) {
			
 
				-    req.flash('warningMessage', 'Sign in failure.');
			
 
				-    return res.redirect('/login');
			
 
				+    const { redirectTo } = req.session;
			
 
				+    // remove session.redirectTo
			
 
				+    delete req.session.redirectTo;
			
 
				+    return res.safeRedirect(redirectTo);
			
 
				   };
			
 
				 
			
 
				   actions.error = function(req, res) {
			
@@ -72,30 +54,29 @@ module.exports = function(crowi, app) {
 
				     });
			
 
				   };
			
 
				 
			
 
				-  actions.login = function(req, res) {
			
 
				-    const loginForm = req.body.loginForm;
			
 
				+  actions.preLogin = function(req, res, next) {
			
 
				+    // user has already logged in
			
 
				+    if (req.user != null) {
			
 
				+      const { redirectTo } = req.session;
			
 
				+      // remove session.redirectTo
			
 
				+      delete req.session.redirectTo;
			
 
				+      return res.safeRedirect(redirectTo);
			
 
				+    }
			
 
				 
			
 
				-    if (req.method == 'POST' && req.form.isValid) {
			
 
				-      const username = loginForm.username;
			
 
				-      const password = loginForm.password;
			
 
				-
			
 
				-      // find user
			
 
				-      User.findUserByUsernameOrEmail(username, password, (err, user) => {
			
 
				-        if (err) { return loginFailure(req, res) }
			
 
				-        // check existence and password
			
 
				-        if (!user || !user.isPasswordValid(password)) {
			
 
				-          return loginFailure(req, res);
			
 
				-        }
			
 
				-        return loginSuccess(req, res, user);
			
 
				-      });
			
 
				+    // set referer to 'redirectTo'
			
 
				+    if (req.session.redirectTo == null && req.headers.referer != null) {
			
 
				+      req.session.redirectTo = req.headers.referer;
			
 
				     }
			
 
				-    else { // method GET
			
 
				-      if (req.form) {
			
 
				-        debug(req.form.errors);
			
 
				-      }
			
 
				-      return res.render('login', {
			
 
				-      });
			
 
				+
			
 
				+    next();
			
 
				+  }
			
 
				+
			
 
				+  actions.login = function(req, res) {
			
 
				+    if (req.form) {
			
 
				+      debug(req.form.errors);
			
 
				     }
			
 
				+
			
 
				+    return res.render('login', {});
			
 
				   };
			
 
				 
			
 
				   actions.register = function(req, res) {
			
--- a/src/server/routes/logout.js
+++ b/src/server/routes/logout.js
@@ -2,7 +2,10 @@ module.exports = function(crowi, app) {
 
				   return {
			
 
				     logout(req, res) {
			
 
				       req.session.destroy();
			
 
				-      return res.redirect('/');
			
 
				+
			
 
				+      // redirect
			
 
				+      const redirectTo = req.headers.referer || '/';
			
 
				+      return res.safeRedirect(redirectTo);
			
 
				     },
			
 
				   };
			
 
				 };
			
--- a/src/server/views/installer.html
+++ b/src/server/views/installer.html
@@ -86,7 +86,7 @@
 
				 </body>
			
 
				 {% endblock %}
			
 
				 
			
 
				-<script type="application/json" id="crowi-context-hydrate">
			
 
				+<script type="application/json" id="growi-context-hydrate">
			
 
				 {{ local_config|json|safe|preventXss }}
			
 
				 </script>
			
 
				 
			
--- a/src/server/views/layout/layout.html
+++ b/src/server/views/layout/layout.html
@@ -63,7 +63,6 @@
 
				 <body
			
 
				   class="main-container content-wrapper {% block html_base_css %}{% endblock %}
			
 
				       {% if !getConfig('crowi', 'customize:layout') || 'crowi' === getConfig('crowi', 'customize:layout') %}crowi{% elseif !getConfig('crowi', 'customize:layout') || 'kibela' === getConfig('crowi', 'customize:layout') %}kibela{% else %}growi{% endif %}"
			
 
				-  data-me="{{ user._id.toString() }}"
			
 
				   data-is-admin="{{ user.admin }}"
			
 
				   data-plugin-enabled="{{ getConfig('crowi', 'plugin:isEnabledPlugins') }}"
			
 
				   {% block html_base_attr %}{% endblock %}
			
@@ -193,10 +192,16 @@
 
				 </body>
			
 
				 {% endblock %}
			
 
				 
			
 
				-<script type="application/json" id="crowi-context-hydrate">
			
 
				+<script type="application/json" id="growi-context-hydrate">
			
 
				 {{ local_config|json|safe|preventXss }}
			
 
				 </script>
			
 
				 
			
 
				+{% if user != null %}
			
 
				+  <script type="application/json" id="growi-current-user">
			
 
				+  {{ user|json|safe|preventXss }}
			
 
				+  </script>
			
 
				+{% endif %}
			
 
				+
			
 
				 {% block custom_script %}
			
 
				 <script>
			
 
				   {{ customizeService.getCustomScript() }}
			
--- a/src/server/views/widget/not_found_tabs.html
+++ b/src/server/views/widget/not_found_tabs.html
@@ -7,7 +7,10 @@
 
				 
			
 
				   {% if !isTrashPage() and !page.isDeleted() %}
			
 
				   <li class="nav-main-left-tab">
			
 
				-    <a {% if user %}href="#edit" data-toggle="tab"{% endif %} class="edit-button {% if not user %}edit-button-disabled{% endif %}">
			
 
				+    <a
			
 
				+      {% if user %} href="#edit" data-toggle="tab" class="edit-button" {% endif %}
			
 
				+      {% if not user %} class="edit-button edit-button-disabled" data-toggle="tooltip" data-placement="top" data-container="body" title="{{ t('Not available for guest') }}" {% endif %}
			
 
				+    >
			
 
				       <i class="icon-note"></i> {{ t('Create') }}
			
 
				     </a>
			
 
				   </li>
			
--- a/src/server/views/widget/page_tabs.html
+++ b/src/server/views/widget/page_tabs.html
@@ -12,13 +12,25 @@
 
				 
			
 
				   {% if !isTrashPage() %}
			
 
				   <li class="nav-main-left-tab nav-tab-edit">
			
 
				-    <a {% if user %}href="#edit" data-toggle="tab"{% endif %} class="edit-button {% if not user %}edit-button-disabled{% endif %}">
			
 
				+    <a
			
 
				+      {% if user %} href="#edit" data-toggle="tab" class="edit-button" {% endif %}
			
 
				+      {% if not user %}
			
 
				+        class="edit-button edit-button-disabled"
			
 
				+        data-toggle="tooltip" data-placement="top" data-container="body" title="{{ t('Not available for guest') }}"
			
 
				+      {% endif %}
			
 
				+    >
			
 
				       <i class="icon-note"></i> {{ t('Edit') }}
			
 
				     </a>
			
 
				   </li>
			
 
				   {% if isHackmdSetup() %}
			
 
				   <li class="nav-main-left-tab nav-tab-hackmd">
			
 
				-    <a {% if user %}href="#hackmd" data-toggle="tab"{% endif %} class="{% if not user %}edit-button-disabled{% endif %}">
			
 
				+    <a
			
 
				+      {% if user %} href="#hackmd" data-toggle="tab" class="edit-button" {% endif %}
			
 
				+      {% if not user %}
			
 
				+        class="edit-button edit-button-disabled"
			
 
				+        data-toggle="tooltip" data-placement="top" data-container="body" title="{{ t('Not available for guest') }}"
			
 
				+      {% endif %}
			
 
				+    >
			
 
				       <i class="fa fa-file-text-o"></i> {{ t('HackMD') }}
			
 
				     </a>
			
 
				   </li>
			
@@ -31,7 +43,13 @@
 
				   {% if !isTrashPage() %}
			
 
				     {% if page.isPortal() %}
			
 
				     <li class="nav-main-right-tab dropdown pull-right">
			
 
				-      <a class="dropdown-toggle {% if not user %}dropdown-disabled{% endif %}" {% if user %}data-toggle="dropdown" href="#"{% endif %}>
			
 
				+      <a
			
 
				+        {% if user %} role="button" class="dropdown-toggle" data-toggle="dropdown" {% endif %}
			
 
				+        {% if not user %}
			
 
				+          class="dropdown-toggle dropdown-toggle-disabled"
			
 
				+          data-toggle="tooltip" data-placement="top" data-container="body" title="{{ t('Not available for guest') }}"
			
 
				+        {% endif %}
			
 
				+      >
			
 
				         <i class="icon-options-vertical"></i>
			
 
				       </a>
			
 
				       <ul class="dropdown-menu">
			
@@ -47,7 +65,13 @@
 
				     </li>
			
 
				     {% else %}
			
 
				     <li class="nav-main-right-tab dropdown pull-right">
			
 
				-      <a class="dropdown-toggle {% if not user %}dropdown-disabled{% endif %}" {% if user %}data-toggle="dropdown" href="#"{% endif %}>
			
 
				+      <a
			
 
				+        {% if user %} role="button" class="dropdown-toggle" data-toggle="dropdown" {% endif %}
			
 
				+        {% if not user %}
			
 
				+          class="dropdown-toggle dropdown-toggle-disabled"
			
 
				+          data-toggle="tooltip" data-placement="top" data-container="body" title="{{ t('Not available for guest') }}"
			
 
				+        {% endif %}
			
 
				+      >
			
 
				         <i class="icon-options-vertical"></i>
			
 
				       </a>
			
 
				       <ul class="dropdown-menu">
			
--- a/src/server/views/widget/page_tabs_kibela.html
+++ b/src/server/views/widget/page_tabs_kibela.html
@@ -12,13 +12,25 @@
 
				 
			
 
				   {% if !isTrashPage() %}
			
 
				   <li class="nav-main-left-tab nav-tab-edit">
			
 
				-    <a {% if user %}href="#edit" data-toggle="tab"{% endif %} class="edit-button {% if not user %}edit-button-disabled{% endif %}">
			
 
				+    <a
			
 
				+      {% if user %} href="#edit" data-toggle="tab" class="edit-button" {% endif %}
			
 
				+      {% if not user %}
			
 
				+        class="edit-button edit-button-disabled"
			
 
				+        data-toggle="tooltip" data-placement="top" data-container="body" title="{{ t('Not available for guest') }}"
			
 
				+      {% endif %}
			
 
				+    >
			
 
				       <i class="icon-note"></i> {{ t('Edit') }}
			
 
				     </a>
			
 
				   </li>
			
 
				   {% if isHackmdSetup() %}
			
 
				   <li class="nav-main-left-tab nav-tab-hackmd">
			
 
				-    <a {% if user %}href="#hackmd" data-toggle="tab"{% endif %} class="{% if not user %}edit-button-disabled{% endif %}">
			
 
				+    <a
			
 
				+      {% if user %} href="#hackmd" data-toggle="tab" class="edit-button" {% endif %}
			
 
				+      {% if not user %}
			
 
				+        class="edit-button edit-button-disabled"
			
 
				+        data-toggle="tooltip" data-placement="top" data-container="body" title="{{ t('Not available for guest') }}"
			
 
				+      {% endif %}
			
 
				+    >
			
 
				       <i class="fa fa-file-text-o"></i> {{ t('HackMD') }}
			
 
				     </a>
			
 
				   </li>
			
@@ -31,7 +43,13 @@
 
				   {% if !isTrashPage() %}
			
 
				     {% if page.isPortal() %}
			
 
				     <li class="nav-main-right-tab dropdown pull-right">
			
 
				-      <a class="dropdown-toggle {% if not user %}dropdown-disabled{% endif %}" {% if user %}data-toggle="dropdown" href="#"{% endif %}>
			
 
				+      <a
			
 
				+        {% if user %} role="button" class="dropdown-toggle" data-toggle="dropdown" {% endif %}
			
 
				+        {% if not user %}
			
 
				+          class="dropdown-toggle dropdown-toggle-disabled"
			
 
				+          data-toggle="tooltip" data-placement="top" data-container="body" title="{{ t('Not available for guest') }}"
			
 
				+        {% endif %}
			
 
				+      >
			
 
				         <i class="icon-options-vertical"></i>
			
 
				       </a>
			
 
				       <ul class="dropdown-menu">
			
@@ -44,7 +62,13 @@
 
				     </li>
			
 
				     {% else %}
			
 
				     <li class="nav-main-right-tab dropdown pull-right">
			
 
				-      <a class="dropdown-toggle {% if not user %}dropdown-disabled{% endif %}" {% if user %}data-toggle="dropdown" href="#"{% endif %}>
			
 
				+      <a
			
 
				+        {% if user %} role="button" class="dropdown-toggle" data-toggle="dropdown" {% endif %}
			
 
				+        {% if not user %}
			
 
				+          class="dropdown-toggle dropdown-toggle-disabled"
			
 
				+          data-toggle="tooltip" data-placement="top" data-container="body" title="{{ t('Not available for guest') }}"
			
 
				+        {% endif %}
			
 
				+      >
			
 
				         <i class="icon-options-vertical"></i>
			
 
				       </a>
			
 
				       <ul class="dropdown-menu">
			
--- a/src/test/middleware/login-required.test.js
+++ b/src/test/middleware/login-required.test.js
@@ -101,7 +101,7 @@ describe('loginRequired', () => {
 
				       expect(res.redirect).toHaveBeenCalledTimes(1);
			
 
				       expect(res.redirect).toHaveBeenCalledWith('/login');
			
 
				       expect(result).toBe('redirect');
			
 
				-      expect(req.session.jumpTo).toBe('original url 1');
			
 
				+      expect(req.session.redirectTo).toBe('original url 1');
			
 
				     });
			
 
				 
			
 
				     test('pass user who logged in', () => {
			
@@ -119,7 +119,7 @@ describe('loginRequired', () => {
 
				       expect(res.redirect).not.toHaveBeenCalled();
			
 
				       expect(next).toHaveBeenCalledTimes(1);
			
 
				       expect(result).toBe('next');
			
 
				-      expect(req.session.jumpTo).toBe(undefined);
			
 
				+      expect(req.session.redirectTo).toBe(undefined);
			
 
				     });
			
 
				 
			
 
				     /* eslint-disable indent */
			
@@ -142,7 +142,7 @@ describe('loginRequired', () => {
 
				       expect(res.redirect).toHaveBeenCalledTimes(1);
			
 
				       expect(res.redirect).toHaveBeenCalledWith(expectedPath);
			
 
				       expect(result).toBe('redirect');
			
 
				-      expect(req.session.jumpTo).toBe(undefined);
			
 
				+      expect(req.session.redirectTo).toBe(undefined);
			
 
				     });
			
 
				     /* eslint-disable indent */
			
 
				 
			
@@ -163,7 +163,7 @@ describe('loginRequired', () => {
 
				       expect(res.redirect).toHaveBeenCalledTimes(1);
			
 
				       expect(res.redirect).toHaveBeenCalledWith('/login');
			
 
				       expect(result).toBe('redirect');
			
 
				-      expect(req.session.jumpTo).toBe('original url 1');
			
 
				+      expect(req.session.redirectTo).toBe('original url 1');
			
 
				     });
			
 
				 
			
 
				   });
			
--- a/src/test/middleware/safe-redirect.test.js
+++ b/src/test/middleware/safe-redirect.test.js
@@ -0,0 +1,108 @@
 
				+/* eslint-disable arrow-body-style */
			
 
				+
			
 
				+describe('safeRedirect', () => {
			
 
				+  let safeRedirect;
			
 
				+
			
 
				+  const whitelistOfHosts = [
			
 
				+    'white1.example.com:8080',
			
 
				+    'white2.example.com',
			
 
				+  ];
			
 
				+
			
 
				+  beforeEach(async(done) => {
			
 
				+    safeRedirect = require('@server/middleware/safe-redirect')(whitelistOfHosts);
			
 
				+    done();
			
 
				+  });
			
 
				+
			
 
				+  describe('res.safeRedirect', () => {
			
 
				+    // setup req/res/next
			
 
				+    const req = {
			
 
				+      protocol: 'http',
			
 
				+      hostname: 'example.com',
			
 
				+      get: jest.fn().mockReturnValue('example.com'),
			
 
				+    };
			
 
				+    const res = {
			
 
				+      redirect: jest.fn().mockReturnValue('redirect'),
			
 
				+    };
			
 
				+    const next = jest.fn();
			
 
				+
			
 
				+    test('redirects to \'/\' because specified url causes open redirect vulnerability', () => {
			
 
				+      safeRedirect(req, res, next);
			
 
				+
			
 
				+      const result = res.safeRedirect('//evil.example.com');
			
 
				+
			
 
				+      expect(next).toHaveBeenCalledTimes(1);
			
 
				+      expect(req.get).toHaveBeenCalledTimes(1);
			
 
				+      expect(req.get).toHaveBeenCalledWith('host');
			
 
				+      expect(res.redirect).toHaveBeenCalledTimes(1);
			
 
				+      expect(res.redirect).toHaveBeenCalledWith('/');
			
 
				+      expect(result).toBe('redirect');
			
 
				+    });
			
 
				+
			
 
				+    test('redirects to \'/\' because specified host without port is not in whitelist', () => {
			
 
				+      safeRedirect(req, res, next);
			
 
				+
			
 
				+      const result = res.safeRedirect('http://white1.example.com/path/to/page');
			
 
				+
			
 
				+      expect(next).toHaveBeenCalledTimes(1);
			
 
				+      expect(req.get).toHaveBeenCalledTimes(1);
			
 
				+      expect(req.get).toHaveBeenCalledWith('host');
			
 
				+      expect(res.redirect).toHaveBeenCalledTimes(1);
			
 
				+      expect(res.redirect).toHaveBeenCalledWith('/');
			
 
				+      expect(result).toBe('redirect');
			
 
				+    });
			
 
				+
			
 
				+    test('redirects to the specified local url', () => {
			
 
				+      safeRedirect(req, res, next);
			
 
				+
			
 
				+      const result = res.safeRedirect('/path/to/page');
			
 
				+
			
 
				+      expect(next).toHaveBeenCalledTimes(1);
			
 
				+      expect(req.get).toHaveBeenCalledTimes(1);
			
 
				+      expect(req.get).toHaveBeenCalledWith('host');
			
 
				+      expect(res.redirect).toHaveBeenCalledTimes(1);
			
 
				+      expect(res.redirect).toHaveBeenCalledWith('http://example.com/path/to/page');
			
 
				+      expect(result).toBe('redirect');
			
 
				+    });
			
 
				+
			
 
				+    test('redirects to the specified local url (fqdn)', () => {
			
 
				+      safeRedirect(req, res, next);
			
 
				+
			
 
				+      const result = res.safeRedirect('http://example.com/path/to/page');
			
 
				+
			
 
				+      expect(next).toHaveBeenCalledTimes(1);
			
 
				+      expect(req.get).toHaveBeenCalledTimes(1);
			
 
				+      expect(req.get).toHaveBeenCalledWith('host');
			
 
				+      expect(res.redirect).toHaveBeenCalledTimes(1);
			
 
				+      expect(res.redirect).toHaveBeenCalledWith('http://example.com/path/to/page');
			
 
				+      expect(result).toBe('redirect');
			
 
				+    });
			
 
				+
			
 
				+    test('redirects to the specified whitelisted url (white1.example.com:8080)', () => {
			
 
				+      safeRedirect(req, res, next);
			
 
				+
			
 
				+      const result = res.safeRedirect('http://white1.example.com:8080/path/to/page');
			
 
				+
			
 
				+      expect(next).toHaveBeenCalledTimes(1);
			
 
				+      expect(req.get).toHaveBeenCalledTimes(1);
			
 
				+      expect(req.get).toHaveBeenCalledWith('host');
			
 
				+      expect(res.redirect).toHaveBeenCalledTimes(1);
			
 
				+      expect(res.redirect).toHaveBeenCalledWith('http://white1.example.com:8080/path/to/page');
			
 
				+      expect(result).toBe('redirect');
			
 
				+    });
			
 
				+
			
 
				+    test('redirects to the specified whitelisted url (white2.example.com:8080)', () => {
			
 
				+      safeRedirect(req, res, next);
			
 
				+
			
 
				+      const result = res.safeRedirect('http://white2.example.com:8080/path/to/page');
			
 
				+
			
 
				+      expect(next).toHaveBeenCalledTimes(1);
			
 
				+      expect(req.get).toHaveBeenCalledTimes(1);
			
 
				+      expect(req.get).toHaveBeenCalledWith('host');
			
 
				+      expect(res.redirect).toHaveBeenCalledTimes(1);
			
 
				+      expect(res.redirect).toHaveBeenCalledWith('http://white2.example.com:8080/path/to/page');
			
 
				+      expect(result).toBe('redirect');
			
 
				+    });
			
 
				+
			
 
				+  });
			
 
				+
			
 
				+});