Support current in URL
#1417
Support current in URL
#1417
Conversation
| @@ -5,6 +5,11 @@ | |||
| after_action :set_feature_headers | |||
|
|
|||
| def set_ruby_version | |||
| if params[:version] == "current" | |||
| redirect_to request.path.sub(%r{^/current}, "/#{RubyConfig.default_ruby_version.version}") | |||
Check warning
Code scanning / CodeQL
URL redirection from remote source
| @@ -5,6 +5,12 @@ | |||
| after_action :set_feature_headers | |||
|
|
|||
| def set_ruby_version | |||
| if params[:version] == "current" | |||
| permitted_params = params.permit(:object, :engine, :q, :page, :theme) | |||
| redirect_to permitted_params.merge(version: RubyConfig.default_ruby_version.version) | |||
Check warning
Code scanning / CodeQL
URL redirection from remote source
|
@natematykiewicz thanks for the suggestion, I've pushed an update. It's a little awkward since it needs to be aware of all the potential params which could be passed. Also, CodeQL still complains 😭 |
|
I wonder if the user experience could improved by having |
|
Alternatively, I wonder if a redirect can be added directly in the router. Would that help anything? I know there's route constraint classes you can make. Or maybe a middleware? I just don't love having to list out all of the possible params. Seems really prone to failure as we add more pages in the future. I understand why you needed to do it (because only permitted params will get returned). That's why I wonder if bringing the controller into this is too far down the line. |
It's possible, but I expect that would still have the same issues with untrusted URL redirection. |
|
|
I really like the simplicity of #1426, and the lack of a redirect does seem nice. I'm a bigger fan of |
Closes #1215