Rename safe_next_url -> extract_next_path_from_params

malcolmbaig · malcolmbaig · commit d0288f419e76 · 2025-10-07T12:56:31.000+01:00
Avoid using the word safe as it implies some level of escaping / safety
that this function doesn't provide.
diff --git a/manage_breast_screening/auth/demo_views.py b/manage_breast_screening/auth/demo_views.py
@@ -6,23 +6,23 @@
 from django.shortcuts import get_object_or_404, redirect, render
 from django.urls import reverse
 
-from manage_breast_screening.core.utils.urls import safe_next_url
+from manage_breast_screening.core.utils.urls import extract_next_path_from_params
 
 from .models import PERSONAS
 
 
 @login_not_required
 def persona_login(request):
     users = _get_users(request.user)
-    next_url = safe_next_url(request)
+    next_path = extract_next_path_from_params(request)
 
     if request.method == "POST":
         user = get_object_or_404(users, nhs_uid=request.POST["username"])
         login(request, user, backend="django.contrib.auth.backends.ModelBackend")
 
         redirect_url = reverse("clinics:select_provider")
-        if next_url:
-            redirect_url = f"{redirect_url}?{urlencode({'next': next_url})}"
+        if next_path:
+            redirect_url = f"{redirect_url}?{urlencode({'next': next_path})}"
 
         return redirect(redirect_url)
     else:
@@ -33,7 +33,7 @@ def persona_login(request):
                 "users": users,
                 "page_title": "Personas",
                 "current_user": request.user,
-                "next": next_url,
+                "next": next_path,
             },
         )
 
diff --git a/manage_breast_screening/clinics/views.py b/manage_breast_screening/clinics/views.py
@@ -3,7 +3,7 @@
 from django.views.decorators.http import require_http_methods
 
 from ..core.decorators import current_provider_exempt
-from ..core.utils.urls import safe_next_url
+from ..core.utils.urls import extract_next_path_from_params
 from ..participants.models import Appointment, AppointmentStatus
 from .models import Clinic, Provider
 from .presenters import AppointmentListPresenter, ClinicPresenter, ClinicsPresenter
@@ -58,21 +58,21 @@ def check_in(_request, pk, appointment_pk):
 @current_provider_exempt
 @login_required
 def select_provider(request):
-    next_url = safe_next_url(request)
+    next_path = extract_next_path_from_params(request)
     user_providers = Provider.objects.filter(assignments__user=request.user)
 
     if len(user_providers) == 1:
         request.session["current_provider"] = str(user_providers.first().pk)
-        if next_url:
-            return redirect(next_url)
+        if next_path:
+            return redirect(next_path)
         return redirect("clinics:index")
 
     if request.method == "POST":
         provider_id = request.POST.get("provider")
         if provider_id and user_providers.filter(pk=provider_id).exists():
             request.session["current_provider"] = provider_id
-            if next_url:
-                return redirect(next_url)
+            if next_path:
+                return redirect(next_path)
             return redirect("clinics:index")
 
     return render(
@@ -81,6 +81,6 @@ def select_provider(request):
         context={
             "providers": user_providers,
             "page_title": "Select Provider",
-            "next": next_url,
+            "next": next_path,
         },
     )
diff --git a/manage_breast_screening/core/utils/urls.py b/manage_breast_screening/core/utils/urls.py
@@ -1,4 +1,4 @@
-def safe_next_url(request):
+def extract_next_path_from_params(request):
     """Extract and validate a 'next' URL from request GET or POST parameters.
 
     Only returns the URL if it's a safe relative URL (starts with '/').

Original file line number	Diff line number	Diff line change
`@@ -1,4 +1,4 @@`
`1`		`-def safe_next_url(request):`
	`1`	`+def extract_next_path_from_params(request):`
`2`	`2`	`"""Extract and validate a 'next' URL from request GET or POST parameters.`
`3`	`3`
`4`	`4`	`Only returns the URL if it's a safe relative URL (starts with '/').`