How to prevent force_ssl from destroying params in redirect?

Question

I have the following route:

resources :widgets do
  resources :orders
end

so that a request, e.g. to /widgets/1/orders/new goes to OrderController, which can access params[:widget_id] to know which widget is being purchased.

The problem is this: I use force_ssl in OrderController. This is causing requests for:

http://www.example.com/widgets/1/orders/new

to be redirected (302) to:

https://www.example.com/

In other words, force_ssl is doing its job (redirecting to https protocol version of URL), but is destroying the parameters specified by the dynamic segment of the route in the process. How can I prevent this from happening (preferable) or work around it in the least offensive way?

Note that this is hosted on Heroku, and so e.g. an Apache redirect won't work for me.

barbolo · Accepted Answer · 2014-08-29T10:17:25.023

3

I believe the default behavior of force_ssl is to pass parameters from the non-secure connection to the secure connection. If this is not the behaviour you want, you could try to override the force_ssl function by adding an initializer like that:

#
# Pass parameters in SSL redirects
#
module ActionController
  module ForceSSL
    module ClassMethods
      def force_ssl(options = {})
        host = options.delete(:host)
        before_filter(options) do
          if !request.ssl? && !Rails.env.development?

            secure_params = request.params.clone
            [:only, :except, :protocol, :status, :host].each {|s| secure_params.delete(s)}

            redirect_options = {:protocol => 'https://', :status => :moved_permanently}
            redirect_options.merge!(:host => host) if host
            redirect_to redirect_options.merge(secure_params)
          end
        end

      end
    end
  end
end

edited Aug 29 '14 at 10:17

answered Nov 07 '11 at 03:51

barbolo

3,807
1
31
31

Thanks for this answer. Unfortunately I've since deployed the app with SSL forced throughout the whole app (i.e. `config.force_ssl = true` in config/environments/production.rb) as a less-than-ideal workaround. Since I can't easily test this without doing it on my production server, I can't tell if your solution works or not. :-\ – niemand Nov 11 '11 at 19:43
Works for me, thanks! Did you create a pull request for this? – jankubr Dec 02 '11 at 15:24
I didn't submit the pull request. I haven't tested this patch a lot and there may be bugs. A possible issue with this solution is when you receive a POST and the redirect goes as a GET with the params. – barbolo Jan 25 '12 at 15:50

How to prevent force_ssl from destroying params in redirect?

1 Answers1