Merge pull request #3213 from AlchemyCMS/backport/7.4-stable/pr-3212

[7.4-stable] Allow is_safe_redirect_path to recognize customized admin path

Author: tvdeyen

app/controllers/alchemy/admin/base_controller.rb

@@ -43,7 +43,7 @@ def safe_redirect_path(path = params[:redirect_to], fallback: admin_path)
 
       def is_safe_redirect_path?(path)
         mount_path = alchemy.root_path
-        path.to_s.match? %r{^#{mount_path}admin/}
+        path.to_s.match? %r{^#{mount_path}#{Alchemy.admin_path}/}
       end
 
       def relative_referer_path(referer = request.referer)

spec/controllers/alchemy/admin/base_controller_spec.rb

@@ -338,5 +338,57 @@ def index
         it { is_expected.to be(false) }
       end
     end
+
+    context "admin path is customized" do
+      before(:all) do
+        Alchemy.admin_path = "backend"
+        Rails.application.reload_routes!
+      end
+
+      context "path is not an external URL" do
+        let(:path) { "/backend/pages" }
+
+        it { is_expected.to be(true) }
+      end
+
+      context "path is an external URL" do
+        let(:path) { "https://evil.com" }
+
+        it { is_expected.to be(false) }
+      end
+
+      after(:all) do
+        Alchemy.admin_path = "admin"
+        Rails.application.reload_routes!
+      end
+    end
+
+    context "admin path is customized and alchemy is mounted under a path" do
+      before do
+        Alchemy.admin_path = "backend"
+        Rails.application.reload_routes!
+
+        allow(controller).to receive(:alchemy) do
+          double(root_path: "/cms/")
+        end
+      end
+
+      context "path is not an external URL" do
+        let(:path) { "/cms/backend/pages" }
+
+        it { is_expected.to be(true) }
+      end
+
+      context "path is an external URL" do
+        let(:path) { "https://evil.com" }
+
+        it { is_expected.to be(false) }
+      end
+
+      after do
+        Alchemy.admin_path = "admin"
+        Rails.application.reload_routes!
+      end
+    end
   end
 end