From b3d9e814997ab8f83e8e441ed48625c66ed68d51 Mon Sep 17 00:00:00 2001
From: Martin Green <martin.speleo@gmail.com>
Date: Sat, 25 Jun 2022 16:13:02 +0100
Subject: [PATCH] Implement redirects after login (using the next parameter)

---
 core/views/auth.py | 17 +++++++++++++++--
 1 file changed, 15 insertions(+), 2 deletions(-)

diff --git a/core/views/auth.py b/core/views/auth.py
index a7b2ca1..a4dc9d9 100644
--- a/core/views/auth.py
+++ b/core/views/auth.py
@@ -1,10 +1,11 @@
 from builtins import str
 
 from django.conf import settings
-from django.shortcuts import render
+from django.shortcuts import render, redirect
 from django.contrib.auth import authenticate, login, logout
 from django.contrib.auth import forms as auth_forms
 from django.contrib.auth.decorators import login_required
+from django.utils.http import is_safe_url
 
 """This enforces the login requirement for non-public pages using 
 the decorator mechanism. 
@@ -70,8 +71,20 @@ def expologin(request):
     try:
         login(request, user)
         # Should do the ?next= stuff here..
-        return render(request, 'tasks.html', {})
+        return redirect_after_login(request)
     except:
         return render(request, 'errors/generic.html', {})
+        
+def redirect_after_login(request):
+    nxt = request.GET.get("next", None)
+    if nxt is None:
+        return redirect(settings.LOGIN_REDIRECT_URL)
+    elif not is_safe_url(
+            url=nxt,
+            allowed_hosts={request.get_host()},
+            require_https=request.is_secure()):
+        return redirect(settings.LOGIN_REDIRECT_URL)
+    else:
+        return redirect(nxt)