Improve fallback behaviour for unsafe referer redirects

app/controllers/application_controller.rb

@@ -397,7 +397,7 @@ class ApplicationController < ActionController::Base
       referer = nil
     end
 
-    referer.to_s
+    referer&.to_s
   end
 
   def scope_enabled?(scope)

app/controllers/friendships_controller.rb

@@ -28,11 +28,9 @@ class FriendshipsController < ApplicationController
           friendship.add_error(t("friendships.make_friend.failed", :name => @new_friend.display_name))
         end
 
-        if params[:referer]
-          redirect_to safe_referer(params[:referer])
-        else
-          redirect_to user_path
-        end
+        referer = safe_referer(params[:referer]) if params[:referer]
+
+        redirect_to referer || user_path
       end
     else
       render_unknown_user params[:display_name]
@@ -51,11 +49,9 @@ class FriendshipsController < ApplicationController
           flash[:error] = t "friendships.remove_friend.not_a_friend", :name => @friend.display_name
         end
 
-        if params[:referer]
-          redirect_to safe_referer(params[:referer])
-        else
-          redirect_to user_path
-        end
+        referer = safe_referer(params[:referer]) if params[:referer]
+
+        redirect_to referer || user_path
       end
     else
       render_unknown_user params[:display_name]

app/controllers/messages_controller.rb

@@ -119,8 +119,10 @@ class MessagesController < ApplicationController
     if @message.save && !request.xhr?
       flash[:notice] = t ".destroyed"
 
-      if params[:referer]
-        redirect_to safe_referer(params[:referer])
+      referer = safe_referer(params[:referer]) if params[:referer]
+
+      if referer
+        redirect_to referer
       else
         redirect_to :action => :inbox
       end

app/controllers/sessions_controller.rb

@@ -34,10 +34,14 @@ class SessionsController < ApplicationController
         token&.destroy
         session.delete(:token)
       end
+
       session.delete(:user)
       session_expires_automatically
-      if params[:referer]
-        redirect_to safe_referer(params[:referer])
+
+      referer = safe_referer(params[:referer]) if params[:referer]
+
+      if referer
+        redirect_to referer
       else
         redirect_to :controller => "site", :action => "index"
       end

app/controllers/users_controller.rb

@@ -44,11 +44,9 @@ class UsersController < ApplicationController
 
         flash[:notice] = { :partial => "users/terms_declined_flash" } if current_user.save
 
-        if params[:referer]
-          redirect_to safe_referer(params[:referer])
-        else
-          redirect_to user_account_path(current_user)
-        end
+        referer = safe_referer(params[:referer]) if params[:referer]
+
+        redirect_to referer || user_account_path(current_user)
       elsif params[:decline]
         redirect_to t("users.terms.declined")
       else
@@ -64,11 +62,9 @@ class UsersController < ApplicationController
         flash[:notice] = t "users.new.terms accepted" if current_user.save
       end
 
-      if params[:referer]
-        redirect_to safe_referer(params[:referer])
-      else
-        redirect_to user_account_path(current_user)
-      end
+      referer = safe_referer(params[:referer]) if params[:referer]
+
+      redirect_to referer || user_account_path(current_user)
     else
       self.current_user = session.delete(:new_user)