From 129bc6bdd7a43ed824eaa1e66129553a437e971d Mon Sep 17 00:00:00 2001
From: Valentin Deniaud <vdeniaud@entrouvert.com>
Date: Mon, 15 Apr 2019 13:23:34 +0200
Subject: [PATCH 1/4] views: allow passing arbitrary GET params to mellon

---
 chrono/views.py | 11 ++++++-----
 1 file changed, 6 insertions(+), 5 deletions(-)

diff --git a/chrono/views.py b/chrono/views.py
index 0982e51..c599aec 100644
--- a/chrono/views.py
+++ b/chrono/views.py
@@ -19,7 +19,7 @@ from django.contrib.auth import logout as auth_logout
 from django.contrib.auth import views as auth_views
 from django.http import HttpResponseRedirect
 from django.shortcuts import resolve_url
-from django.utils.six.moves.urllib.parse import quote
+from django.utils.six.moves.urllib.parse import quote, urlparse, urlunparse
 
 if 'mellon' in settings.INSTALLED_APPS:
     from mellon.utils import get_idps
@@ -29,10 +29,11 @@ else:
 
 def login(request, *args, **kwargs):
     if any(get_idps()):
-        if not 'next' in request.GET:
-            return HttpResponseRedirect(resolve_url('mellon_login'))
-        return HttpResponseRedirect(resolve_url('mellon_login') + '?next='
-                                    + quote(request.GET.get('next')))
+        mellon_url = resolve_url('mellon_login')
+        mellon_url_parts = urlparse(mellon_url)
+        mellon_url_parts = mellon_url_parts._replace(
+            query=request.GET.urlencode(safe='/'))
+        return HttpResponseRedirect(urlunparse(mellon_url_parts))
     return auth_views.login(request, *args, **kwargs)
 
 def logout(request, next_page=None):
-- 
2.20.1