[damned-lies] Improved redirection after login/logout

[Claude Paroz <claudep src gnome org>]

commit 725243ab973c1a23bf2578889e110efe0ee1b222
Author: Claude Paroz <claude 2xlibre net>
Date:   Fri Dec 4 17:48:35 2015 +0100

    Improved redirection after login/logout

 common/views.py |   21 +++++++++++++--------
 1 files changed, 13 insertions(+), 8 deletions(-)
---
diff --git a/common/views.py b/common/views.py
index 6846f46..4cecb39 100644
--- a/common/views.py
+++ b/common/views.py
@@ -24,6 +24,7 @@ from django.core.urlresolvers import reverse
 from django.http import HttpResponseRedirect, Http404
 from django.shortcuts import render
 from django.template.loader import get_template, TemplateDoesNotExist
+from django.utils.http import is_safe_url
 from django.utils.translation import ugettext as _
 
 from people.models import Person, obfuscate_email
@@ -55,12 +56,22 @@ def about(request):
 
 def site_login(request):
     """ Site-specific login page. Not named 'login' to not confuse with auth.login """
-    referer = None
+    def redirect(referer):
+        if is_safe_url(referer, host=request.get_host()):
+            return HttpResponseRedirect(referer)
+        else:
+            return HttpResponseRedirect(reverse("home"))
+
+    referer = request.META.get('HTTP_REFERER', None)
     openid_path = ''
     if request.method == 'POST':
+        if request.POST.get('referer', None):
+            referer = request.POST['referer']
+
         if 'logout' in request.POST and request.POST['logout']:
             logout(request)
             messages.success(request, _("You have been logged out."))
+            return redirect(referer)
         elif 'username' in request.POST:
             username = request.POST['username']
             password = request.POST['password']
@@ -74,17 +85,11 @@ def site_login(request):
                             'url': reverse('person_team_join'),
                         }
                         messages.info(request, message)
-                    if 'referer' in request.POST:
-                        return HttpResponseRedirect(request.POST['referer'])
-                    else:
-                        return HttpResponseRedirect(reverse("home"))
+                    return redirect(referer)
                 else:
                     messages.error(request, _("We're sorry, but your account has been disabled."))
             else:
                 messages.error(request, _("Login unsuccessful. Please verify your username and password."))
-                referer = request.POST['referer']
-    else:
-        referer = request.META.get('HTTP_REFERER', None)
 
     if 'django_openid_auth' in settings.INSTALLED_APPS:
         openid_path = '/openid/login/'