[bug] Insecure redirect after publishing etc.

[fsbraun]

djangocms-versioning implements a set of redirects after a version state change, e.g., redirect to the published version after publishing.

Depending on the site setup, those redirects might fail, e.g. when publishing a child page of an app hooked page. The app hook "swallows" all URLs below its own, and a redirect to the just published page fails with a 404.

djangocms-versioning should first check, if the redirect URLs are reversible and, if not, implement a fallback solution.

Affected IMHO are two instances:

• "Free" redirects like here:

  djangocms-versioning/djangocms_versioning/admin.py

  Line 1033 in c9bf9f4

  requested_redirect = request.GET.get("next", None)

• Published redirects like here (since technically the result of get_absolute_url is not guaranteed to be resolvable):

  djangocms-versioning/djangocms_versioning/admin.py

  Lines 1055 to 1057 in c9bf9f4

  	if conf.ON_PUBLISH_REDIRECT == "published":
  	if hasattr(version.content, "get_absolute_url"):
  	redirect_url = version.content.get_absolute_url() or redirect_url

As a fallback, I suggest using the preview URL if conf.ON_PUBLISH_REDIRECT in ("preview", "published"), otherwise the version list url.

To check if the URL is valid, resolve can be used:

try:
    resolve(url)
except Resolver404:
    url = fallback

[fsbraun]

@sourcery-ai plan

[sourcery-ai]

Objectives

• Implement URL validation for redirects after version state changes in djangocms_versioning
• Add URL resolution check using Django's resolve() function before performing redirects
• Create a fallback mechanism to use preview URLs when the primary redirect URL is not resolvable
• Fix redirect handling in VersionAdmin class for 'free' state changes
• Fix redirect handling after publishing content when get_absolute_url() returns an unresolvable URL
• Update affected code paths in admin.py to use the new URL validation and fallback system
• Add tests to verify URL validation and fallback behavior works correctly

Setup commands

File changes

djangocms_versioning/admin.py

• Add URL validation check before redirecting after publish action
• Add URL validation check before redirecting after free state changes
• Add resolve_url helper method to validate URLs using Django's resolve
• Update publish_view to use preview URL as fallback when publish URL is not resolvable
• Update unpublish_view to use preview URL as fallback when unpublish URL is not resolvable

djangocms_versioning/helpers.py

• Add is_url_resolvable helper function to check if a URL can be resolved
• Update get_preview_url to handle cases where preview URL is not resolvable

Verify commands

• python manage.py test djangocms_versioning.tests.test_admin

---

This plan was automatically generated.
Please review the plan carefully and make any necessary adjustments.