From 1b97cadc5cf32661633286cbbef568d18aa593ae Mon Sep 17 00:00:00 2001
From: Hongwei <hongwei@tesobe.com>
Date: Wed, 17 Feb 2021 13:05:30 +0100
Subject: [PATCH] bugfix/#sonarcloud: Change this code to not perform redirects
 based on user-controlled data.

---
 .../templates/entitlementrequests/index.html           |  2 --
 apimanager/entitlementrequests/views.py                |  6 ++----
 apimanager/users/views.py                              | 10 +++++++++-
 3 files changed, 11 insertions(+), 7 deletions(-)

diff --git a/apimanager/entitlementrequests/templates/entitlementrequests/index.html b/apimanager/entitlementrequests/templates/entitlementrequests/index.html
index 48284ee..2688e4c 100644
--- a/apimanager/entitlementrequests/templates/entitlementrequests/index.html
+++ b/apimanager/entitlementrequests/templates/entitlementrequests/index.html
@@ -43,7 +43,6 @@
 				<td>
 					<form action="{% url 'entitlement-request-delete' entitlementrequest.entitlement_request_id %}" method="post">
 						{% csrf_token %}
-						<input type="hidden" name="next" value="{{ request.path }}" />
 						<input type="hidden" name="role_name" value="{{ entitlementrequest.role_name }}" />
 						<button type="submit" class="btn btn-primary btn-sm btn-red">Reject</button>
 					</form>
@@ -51,7 +50,6 @@
 				<td>
 					<form action="{% url 'entitlement-request-accept' entitlementrequest.user.user_id %}" method="post">
 						{% csrf_token %}
-						<input type="hidden" name="next" value="{{ request.path }}" />
 						<input type="hidden" name="entitlement_request_id" value="{{ entitlementrequest.entitlement_request_id }}" />
 						<input type="hidden" name="bank_id" value="{{ entitlementrequest.bank_id }}" />
 						<input type="hidden" name="role_name" value="{{ entitlementrequest.role_name }}" />
diff --git a/apimanager/entitlementrequests/views.py b/apimanager/entitlementrequests/views.py
index c77487a..0282674 100644
--- a/apimanager/entitlementrequests/views.py
+++ b/apimanager/entitlementrequests/views.py
@@ -73,8 +73,7 @@ class RejectEntitlementRequest(LoginRequiredMixin, View):
         except:
             messages.error(self.request, "Unknown Error")
 
-        redirect_url = request.POST.get('next', reverse('entitlementrequests-index'))
-        return HttpResponseRedirect(redirect_url)
+        return HttpResponseRedirect(reverse('entitlementrequests-index'))
 
 
 class AcceptEntitlementRequest(LoginRequiredMixin, View):
@@ -115,5 +114,4 @@ class AcceptEntitlementRequest(LoginRequiredMixin, View):
         except:
             messages.error(self.request, "Unknown Error")
 
-        redirect_url = request.POST.get('next', reverse('entitlementrequests-index'))
-        return HttpResponseRedirect(redirect_url)
\ No newline at end of file
+        return HttpResponseRedirect(reverse('entitlementrequests-index'))
\ No newline at end of file
diff --git a/apimanager/users/views.py b/apimanager/users/views.py
index 5a3ff3a..5cca6e6 100644
--- a/apimanager/users/views.py
+++ b/apimanager/users/views.py
@@ -276,5 +276,13 @@ class DeleteEntitlementView(LoginRequiredMixin, View):
         except:
             messages.error(self.request, 'Unknown Error')
 
-        redirect_url = request.POST.get('next', reverse('users-index'))
+        # from sonarcloud: Change this code to not perform redirects based on user-controlled data.    
+        redirect_url_from_gui = request.POST.get('next', reverse('users-index'))
+        if "/users/all/user_id/" in str(redirect_url_from_gui):
+            redirect_url = reverse('users-detail',kwargs={"user_id":kwargs['user_id']})
+        elif ("/users/myuser/user_id/" in str(redirect_url_from_gui)):
+            redirect_url = reverse('my-user-detail',kwargs={"user_id":kwargs['user_id']})
+        else:
+             redirect_url = redirect_url_from_gui
+        
         return HttpResponseRedirect(redirect_url)