0
Fork 0
mirror of https://github.com/TryGhost/Ghost.git synced 2025-01-06 22:40:14 -05:00

🐛 Fixed redirects loop if admin url does not equal blog url (#8950)

no issue

- this bug was invented with this commit 25c4e5025a
- the updated logic ensures that
  - only if you have configured a custom admin url and your requested host does not match, we redirect you
  - we still keep the wish of no force redirect if you have only configured a custom blog url and you navigate to /ghost
This commit is contained in:
Katharina Irrgang 2017-08-29 11:13:56 +02:00 committed by Kevin Ansfield
parent 688d8c9051
commit 029a2a276c
2 changed files with 70 additions and 1 deletions

View file

@ -22,6 +22,8 @@ _private.redirectUrl = function redirectUrl(options) {
_private.getAdminRedirectUrl = function getAdminRedirectUrl(options) {
var blogHostWithProtocol = utils.url.urlFor('home', true),
adminHostWithProtocol = utils.url.urlFor('admin', true),
adminHostWithoutProtocol = adminHostWithProtocol.replace(/(^\w+:|^)\/\//, ''),
blogHostWithoutProtocol = blogHostWithProtocol.replace(/(^\w+:|^)\/\//, ''),
requestedHost = options.requestedHost,
requestedUrl = options.requestedUrl,
queryParameters = options.queryParameters,
@ -30,7 +32,11 @@ _private.getAdminRedirectUrl = function getAdminRedirectUrl(options) {
debug('getAdminRedirectUrl', requestedHost, requestedUrl, adminHostWithProtocol);
// CASE: we only redirect the admin access if `admin.url` is configured
if (adminHostWithProtocol !== utils.url.urlJoin(blogHostWithProtocol, 'ghost/')) {
// If url and admin.url are not equal AND the requested host does not match, redirect.
// The first condition is the most important, because it ensures that you have a custom admin url configured,
// because we don't force an admin redirect if you have a custom url configured, but no admin url.
if (adminHostWithoutProtocol !== utils.url.urlJoin(blogHostWithoutProtocol, 'ghost/') &&
adminHostWithoutProtocol !== utils.url.urlJoin(requestedHost, utils.url.getSubdir(), 'ghost/')) {
debug('redirect because admin host does not match');
return _private.redirectUrl({

View file

@ -214,6 +214,11 @@ describe('UNIT: url redirects', function () {
urlRedirects(req, res, next);
next.called.should.be.false();
res.redirect.calledWith(301, 'https://admin.default.com:2368/blog/ghost').should.be.true();
req.secure = true;
host = 'admin.default.com:2368';
urlRedirects(req, res, next);
next.called.should.be.true();
done();
});
@ -238,4 +243,62 @@ describe('UNIT: url redirects', function () {
res.redirect.calledWith(301, 'https://admin.default.com:2368/ghost?test=true').should.be.true();
done();
});
it('[redirect] same url and admin url, but different protocol.', function (done) {
configUtils.set({
url: 'http://default.com:2368',
admin: {
url: 'https://default.com:2368'
}
});
host = 'default.com:2368';
res.isAdmin = true;
req.originalUrl = '/ghost';
urlRedirects(req, res, next);
next.called.should.be.false();
res.redirect.calledWith(301, 'https://default.com:2368/ghost').should.be.true();
req.secure = true;
urlRedirects(req, res, next);
next.called.should.be.true();
done();
});
it('[no redirect] different url and admin url, but different protocol.', function (done) {
configUtils.set({
url: 'http://blog.ghost.org',
admin: {
url: 'http://something.com'
}
});
host = 'something.com';
res.isAdmin = true;
req.secure = false;
req.originalUrl = '/ghost';
urlRedirects(req, res, next);
next.called.should.be.true();
done();
});
it('[no redirect] different url and admin url, but different protocol.', function (done) {
configUtils.set({
url: 'http://blog.ghost.org',
admin: {
url: 'http://something.com'
}
});
host = 'something.com';
res.isAdmin = true;
req.secure = true;
req.originalUrl = '/ghost';
urlRedirects(req, res, next);
next.called.should.be.true();
done();
});
});