订阅筛选表单：仅透传安全back（补测试）

2026-03-14 16:19:31 +00:00
parent f20b8d89cb
commit 1439e0da62
3 changed files with 71 additions and 0 deletions
--- a/resources/views/admin/site_subscriptions/index.blade.php
+++ b/resources/views/admin/site_subscriptions/index.blade.php
@@ -126,6 +126,9 @@
 <div class="card mb-20">
    <h3>筛选条件</h3>
    <form method="get" action="/admin/site-subscriptions" class="grid-4">
+        @if($safeBackForLinks !== '')
+            <input type="hidden" name="back" value="{!! $safeBackForLinks !!}">
+        @endif
        <select name="status">
            <option value="">全部状态</option>
            @foreach(($filterOptions['statuses'] ?? []) as $value => $label)
--- a/tests/Feature/AdminSiteSubscriptionIndexFilterFormDropsUnsafeBackTest.php
+++ b/tests/Feature/AdminSiteSubscriptionIndexFilterFormDropsUnsafeBackTest.php
@@ -0,0 +1,35 @@
+<?php
+
+namespace Tests\Feature;
+
+use Illuminate\Foundation\Testing\RefreshDatabase;
+use Tests\TestCase;
+
+class AdminSiteSubscriptionIndexFilterFormDropsUnsafeBackTest extends TestCase
+{
+    use RefreshDatabase;
+
+    protected function loginAsPlatformAdmin(): void
+    {
+        $this->seed();
+
+        $this->post('/admin/login', [
+            'email' => 'platform.admin@demo.local',
+            'password' => 'Platform@123456',
+        ])->assertRedirect('/admin');
+    }
+
+    public function test_index_filter_form_should_drop_unsafe_back_as_hidden_input(): void
+    {
+        $this->loginAsPlatformAdmin();
+
+        // nested back=：必须丢弃
+        $back = '/admin/platform-orders?back=/admin/site-subscriptions';
+
+        $res = $this->get('/admin/site-subscriptions?back=' . urlencode($back));
+        $res->assertOk();
+
+        $res->assertDontSee('name="back"', false);
+        $res->assertDontSee('value="' . $back . '"', false);
+    }
+}
--- a/tests/Feature/AdminSiteSubscriptionIndexFilterFormKeepsSafeBackTest.php
+++ b/tests/Feature/AdminSiteSubscriptionIndexFilterFormKeepsSafeBackTest.php
@@ -0,0 +1,33 @@
+<?php
+
+namespace Tests\Feature;
+
+use Illuminate\Foundation\Testing\RefreshDatabase;
+use Tests\TestCase;
+
+class AdminSiteSubscriptionIndexFilterFormKeepsSafeBackTest extends TestCase
+{
+    use RefreshDatabase;
+
+    protected function loginAsPlatformAdmin(): void
+    {
+        $this->seed();
+
+        $this->post('/admin/login', [
+            'email' => 'platform.admin@demo.local',
+            'password' => 'Platform@123456',
+        ])->assertRedirect('/admin');
+    }
+
+    public function test_index_filter_form_should_keep_safe_back_as_hidden_input(): void
+    {
+        $this->loginAsPlatformAdmin();
+
+        $back = '/admin/platform-orders?merchant_id=2&status=pending';
+
+        $res = $this->get('/admin/site-subscriptions?back=' . urlencode($back));
+        $res->assertOk();
+
+        $res->assertSee('name="back" value="' . $back . '"', false);
+    }
+}