redirect to referrer after unauthorized post/put

fixes CNVS-5248

test plan:
- start taking a one-question-at-a-time quiz
- log out in another tab
- hit the next or previous button
- re-login
- you should land back in the quiz

Change-Id: I578d6803bd6deb90ec3c82153d999b478e42a199
Reviewed-on: https://gerrit.instructure.com/19539
Tested-by: Jenkins <jenkins@instructure.com>
QA-Review: Myller de Araujo <myller@instructure.com>
Reviewed-by: Simon Williams <simon@instructure.com>
Product-Review: Simon Williams <simon@instructure.com>

app/controllers/application_controller.rb

@@ -271,7 +271,7 @@ class ApplicationController < ActionController::Base
       @headers = !!@current_user if @headers != false
       @files_domain = @account_domain && @account_domain.host_type == 'files'
       format.html {
-        store_location if request.get?
+        store_location
         return if !@current_user && initiate_delegated_login(request.host_with_port)
         if @context.is_a?(Course) && @context_enrollment
           start_date = @context_enrollment.enrollment_dates.map(&:first).compact.min if @context_enrollment.state_based_on_date == :inactive
@@ -319,19 +319,8 @@ class ApplicationController < ActionController::Base
     return @context != nil
   end
 
-  def clean_return_to(url)
-    return nil if url.blank?
-    uri = URI.parse(url)
-    return nil unless uri.path[0] == ?/
-    return "#{request.protocol}#{request.host_with_port}#{uri.path}#{uri.query && "?#{uri.query}"}#{uri.fragment && "##{uri.fragment}"}"
-  end
   helper_method :clean_return_to
 
-  def return_to(url, fallback)
-    url = clean_return_to(url) || clean_return_to(fallback)
-    redirect_to url
-  end
-
   MAX_ACCOUNT_LINEAGE_TO_SHOW_IN_CRUMBS = 3
 
   # Can be used as a before_filter, or just called from controller code.

lib/authentication_methods.rb

@@ -178,9 +178,22 @@ module AuthenticationMethods
   end
   protected :require_user
 
+  def clean_return_to(url)
+    return nil if url.blank?
+    uri = URI.parse(url)
+    return nil unless uri.path[0] == ?/
+    return "#{request.protocol}#{request.host_with_port}#{uri.path}#{uri.query && "?#{uri.query}"}#{uri.fragment && "##{uri.fragment}"}"
+  end
+
+  def return_to(url, fallback)
+    url = clean_return_to(url) || clean_return_to(fallback)
+    redirect_to url
+  end
+
   def store_location(uri=nil, overwrite=true)
     if overwrite || !session[:return_to]
-      session[:return_to] = uri || request.request_uri
+      uri ||= request.get? ? request.request_uri : request.referrer
+      session[:return_to] = clean_return_to(uri)
     end
   end
   protected :store_location

spec/controllers/quiz_submissions_controller_spec.rb

@@ -111,4 +111,33 @@ describe QuizSubmissionsController do
       @qs.reload.submission_data[:a].should == 'test'
     end
   end
+
+  describe "POST 'record_answer'" do
+    before do
+      quiz_with_submission(!:complete_quiz)
+      @quiz.update_attribute(:one_question_at_a_time, true)
+    end
+
+    it "should require authentication" do
+      post 'record_answer', :quiz_id => @quiz.id, :course_id => @course.id, :id => @qsub.id, :a => 'test'
+      response.status.to_i.should == 401
+
+      @qsub.reload.submission_data[:a].should be_nil
+    end
+
+    it "should record the user's submission" do
+      user_session(@student)
+
+      post 'record_answer', :quiz_id => @quiz.id, :course_id => @course.id, :id => @qsub.id, :a => 'test'
+      response.status.to_i.should == 401
+
+      @qsub.reload.submission_data[:a].should be_nil
+    end
+
+    it "should redirect back to quiz after login if unauthorized" do
+      post 'record_answer', :quiz_id => @quiz.id, :course_id => @course.id, :id => @qsub.id, :a => 'test'
+      assert_unauthorized
+      session[:return_to].should_not be_nil
+    end
+  end
 end