Allow external redirect for render host and LTI

We only use the `launch_presentation_return_url` provided to the @provider, in order to prevent using an open redirect.
2022-12-05 22:13:59 +01:00
parent b7a3fd4586
commit 9977e1614b
3 changed files with 7 additions and 6 deletions
--- a/app/controllers/application_controller.rb
+++ b/app/controllers/application_controller.rb
@ -110,7 +110,7 @@ class ApplicationController < ActionController::Base
          redirect_to :root, alert: message
        # Redirect to main domain if the request originated from our render_host
        elsif request.path == '/' && request.host == RENDER_HOST
-          redirect_to Rails.application.config.action_mailer.default_url_options
+          redirect_to Rails.application.config.action_mailer.default_url_options, allow_other_host: true
        else
          redirect_back fallback_location: :root, allow_other_host: false, alert: message
        end