Merge pull request #1731 from weseek/dev/3.6.x

release v3.6.10

CHANGES.md

@@ -2,7 +2,8 @@
 
 ## v3.6.10
 
-*
+* Fix: Redirect logic for users except for actives
+    * Introduced by 3.6.9
 
 ## v3.6.9
 

package.json

@@ -1,6 +1,6 @@
 {
   "name": "growi",
-  "version": "3.6.9-RC",
+  "version": "3.6.10-RC",
   "description": "Team collaboration software using markdown",
   "tags": [
     "wiki",

src/server/crowi/express-init.js

@@ -19,7 +19,7 @@ module.exports = function(crowi, app) {
   const i18nSprintf = require('i18next-sprintf-postprocessor');
   const i18nMiddleware = require('i18next-express-middleware');
 
-  const safeRedirect = require('../middleware/safe-redirect')();
+  const registerSafeRedirect = require('../middleware/safe-redirect')();
 
   const avoidSessionRoutes = require('../routes/avoid-session-routes');
   const i18nUserSettingDetector = require('../util/i18nUserSettingDetector');
@@ -115,7 +115,7 @@ module.exports = function(crowi, app) {
 
   app.use(flash());
 
-  app.use(safeRedirect);
+  app.use(registerSafeRedirect);
 
   const middlewares = require('../util/middlewares')(crowi, app);
 

src/server/routes/login.js

@@ -56,7 +56,8 @@ module.exports = function(crowi, app) {
 
   actions.preLogin = function(req, res, next) {
     // user has already logged in
-    if (req.user != null) {
+    const { user } = req;
+    if (user != null && user.status === User.STATUS_ACTIVE) {
       const { redirectTo } = req.session;
       // remove session.redirectTo
       delete req.session.redirectTo;

src/test/middleware/safe-redirect.test.js

@@ -1,7 +1,7 @@
 /* eslint-disable arrow-body-style */
 
 describe('safeRedirect', () => {
-  let safeRedirect;
+  let registerSafeRedirect;
 
   const whitelistOfHosts = [
     'white1.example.com:8080',
@@ -9,7 +9,7 @@ describe('safeRedirect', () => {
   ];
 
   beforeEach(async(done) => {
-    safeRedirect = require('@server/middleware/safe-redirect')(whitelistOfHosts);
+    registerSafeRedirect = require('@server/middleware/safe-redirect')(whitelistOfHosts);
     done();
   });
 
@@ -26,7 +26,7 @@ describe('safeRedirect', () => {
     const next = jest.fn();
 
     test('redirects to \'/\' because specified url causes open redirect vulnerability', () => {
-      safeRedirect(req, res, next);
+      registerSafeRedirect(req, res, next);
 
       const result = res.safeRedirect('//evil.example.com');
 
@@ -39,7 +39,7 @@ describe('safeRedirect', () => {
     });
 
     test('redirects to \'/\' because specified host without port is not in whitelist', () => {
-      safeRedirect(req, res, next);
+      registerSafeRedirect(req, res, next);
 
       const result = res.safeRedirect('http://white1.example.com/path/to/page');
 
@@ -52,7 +52,7 @@ describe('safeRedirect', () => {
     });
 
     test('redirects to the specified local url', () => {
-      safeRedirect(req, res, next);
+      registerSafeRedirect(req, res, next);
 
       const result = res.safeRedirect('/path/to/page');
 
@@ -65,7 +65,7 @@ describe('safeRedirect', () => {
     });
 
     test('redirects to the specified local url (fqdn)', () => {
-      safeRedirect(req, res, next);
+      registerSafeRedirect(req, res, next);
 
       const result = res.safeRedirect('http://example.com/path/to/page');
 
@@ -78,7 +78,7 @@ describe('safeRedirect', () => {
     });
 
     test('redirects to the specified whitelisted url (white1.example.com:8080)', () => {
-      safeRedirect(req, res, next);
+      registerSafeRedirect(req, res, next);
 
       const result = res.safeRedirect('http://white1.example.com:8080/path/to/page');
 
@@ -91,7 +91,7 @@ describe('safeRedirect', () => {
     });
 
     test('redirects to the specified whitelisted url (white2.example.com:8080)', () => {
-      safeRedirect(req, res, next);
+      registerSafeRedirect(req, res, next);
 
       const result = res.safeRedirect('http://white2.example.com:8080/path/to/page');