Login return to

app/controllers/admin_controller.rb

@@ -10,7 +10,15 @@ class AdminController < ApplicationController
 
     def set_session
       if current_remote_user.nil?
-        session[:return_to] = request.url
+        # Its important that the return_to is NOT stored if:
+        # - The request method is not GET (non idempotent)
+        # - The request is handled by a Devise controller such as Devise::SessionsController as that could cause an infinite redirect loop
+        # - The request is an Ajax request as this can lead to very unexpected behaviour
+        session[:return_to] = if request.get? && is_navigational_format? && !devise_controller? && !request.xhr?
+                                request.url
+                              else
+                                admin_root_path
+                              end
         redirect_to '/login'
       end
       session[:user_role] = 'admin'

app/controllers/approver_controller.rb

@@ -10,7 +10,15 @@ class ApproverController < ApplicationController
 
     def set_session
       if current_remote_user.nil?
-        session[:return_to] = request.url
+        # Its important that the return_to is NOT stored if:
+        # - The request method is not GET (non idempotent)
+        # - The request is handled by a Devise controller such as Devise::SessionsController as that could cause an infinite redirect loop
+        # - The request is an Ajax request as this can lead to very unexpected behaviour
+        session[:return_to] = if request.get? && is_navigational_format? && !devise_controller? && !request.xhr?
+                                request.url
+                              else
+                                approver_root_path
+                              end
         redirect_to '/login'
       end
       session[:user_role] = 'approver'

app/controllers/author_controller.rb

@@ -10,7 +10,15 @@ class AuthorController < ApplicationController
 
     def set_session
       if current_remote_user.nil?
-        session[:return_to] = request.url
+        # Its important that the return_to is NOT stored if:
+        # - The request method is not GET (non idempotent)
+        # - The request is handled by a Devise controller such as Devise::SessionsController as that could cause an infinite redirect loop
+        # - The request is an Ajax request as this can lead to very unexpected behaviour
+        session[:return_to] = if request.get? && is_navigational_format? && !devise_controller? && !request.xhr?
+                                request.url
+                              else
+                                author_root_path
+                              end
         redirect_to '/login'
       end
       session[:user_role] = 'author'

spec/requests/application_controller_spec.rb

@@ -74,4 +74,22 @@
       assert_response :redirect, "<302: Found> redirect to </>"
     end
   end
+
+  describe 'storing session[:return_to]' do
+    it 'stores request url if valid url to return to or else it stores user root path' do
+      # urls with .json appended to the end is a common occcurence (datatables) that we consider to be invalid
+      get '/approver'
+      expect(session[:return_to]).to eq 'http://www.example.com/approver'
+      get '/approver.json'
+      expect(session[:return_to]).to eq '/approver'
+      get '/author'
+      expect(session[:return_to]).to eq 'http://www.example.com/author'
+      get '/author.json'
+      expect(session[:return_to]).to eq '/author'
+      get '/admin'
+      expect(session[:return_to]).to eq 'http://www.example.com/admin'
+      get '/admin.json'
+      expect(session[:return_to]).to eq '/admin'
+    end
+  end
 end