On Thursday, August 25, 2011 2:12:37 PM UTC-4, Massimo Di Pierro wrote: > > We do not allow redirection outside the app, unless there is a bug. >
Yes, looks like we do. In Auth.login():
if next == DEFAULT:
next = request.get_vars._next \
or request.post_vars._next \
or self.settings.login_next
[snip]
redirect(next)
So, the login action will redirect to whatever URL is in the _next variable
of the query string. Just tried it and was able to redirect to an external
URL.
Anthony
