From 9678121efa9c0114cd034b52569c2d9b9b5c1b59 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?=E8=90=9D=E5=8D=9C?= <dev@saasshop.local>
Date: Sat, 14 Mar 2026 10:48:28 +0000
Subject: [PATCH] fix: batch return_url use relative self url (avoid fullUrl
 domain)

---
 .../views/admin/products/index.blade.php      | 13 ++++++++++-
 .../merchant_admin/products/index.blade.php   | 22 ++++++++++++++++++-
 2 files changed, 33 insertions(+), 2 deletions(-)

diff --git a/resources/views/admin/products/index.blade.php b/resources/views/admin/products/index.blade.php
index 61708b7..c59e792 100644
--- a/resources/views/admin/products/index.blade.php
+++ b/resources/views/admin/products/index.blade.php
@@ -175,7 +175,18 @@
     <h3>商品列表</h3>
     <form id="platform-batch-form" method="post" action="/admin/products/batch" onsubmit="return confirm('确认执行本次批量操作？');">
         @csrf
-        <input type="hidden" name="return_url" value="{{ request()->fullUrl() }}">
+        @php
+            // return_url：用于批量操作后回到当前列表（保留筛选上下文）。
+            // 说明：不使用 request()->fullUrl()（可能包含域名），避免被后端“仅允许站内相对路径”规则拦截。
+            // 同时：剔除 return_url 本身，避免出现嵌套导致 URL 膨胀。
+            $currentQuery = request()->query();
+            unset($currentQuery['return_url']);
+            $selfWithoutReturn = '/' . ltrim(request()->path(), '/');
+            if (count($currentQuery) > 0) {
+                $selfWithoutReturn .= '?' . \Illuminate\Support\Arr::query($currentQuery);
+            }
+        @endphp
+        <input type="hidden" name="return_url" value="{{ $selfWithoutReturn }}">
         <div class="actions gap-10 mb-12">
             <select name="action"><option value="change_status">批量改状态</option><option value="change_category">批量改分类</option></select>
             <select name="status"><option value="">选择状态（用于批量改状态）</option>@foreach($filterOptions['statuses'] as $status)<option value="{{ $statusLabels[$status] ?? $status }}">{{ $statusLabels[$status] ?? $status }}</option>@endforeach</select>
diff --git a/resources/views/merchant_admin/products/index.blade.php b/resources/views/merchant_admin/products/index.blade.php
index d95a9eb..8c8de43 100644
--- a/resources/views/merchant_admin/products/index.blade.php
+++ b/resources/views/merchant_admin/products/index.blade.php
@@ -161,7 +161,27 @@
 
 <div class="card">
     <h3>商品列表</h3>
-    <form id="merchant-batch-form" method="post" action="/merchant-admin/products/batch" onsubmit="return confirm('确认执行本次批量操作？');">@csrf <input type="hidden" name="return_url" value="{{ request()->fullUrl() }}"><div class="actions mb-12"><select name="action"><option value="change_status">批量改状态</option><option value="change_category">批量改分类</option></select><select name="status"><option value="">选择状态（用于批量改状态）</option>@foreach($filterOptions['statuses'] as $status)<option value="{{ $statusLabels[$status] ?? $status }}">{{ $statusLabels[$status] ?? $status }}</option>@endforeach</select><select name="category_id"><option value="">清空分类 / 不指定（用于批量改分类）</option>@foreach($categories as $category)<option value="{{ $category->id }}">{{ $category->name }}</option>@endforeach</select><button type="submit">执行批量操作</button></div></form>
+    <form id="merchant-batch-form" method="post" action="/merchant-admin/products/batch" onsubmit="return confirm('确认执行本次批量操作？');">
+        @csrf
+        @php
+            // return_url：用于批量操作后回到当前列表（保留筛选上下文）。
+            // 说明：不使用 request()->fullUrl()（可能包含域名），避免被后端“仅允许站内相对路径”规则拦截。
+            // 同时：剔除 return_url 本身，避免出现嵌套导致 URL 膨胀。
+            $currentQuery = request()->query();
+            unset($currentQuery['return_url']);
+            $selfWithoutReturn = '/' . ltrim(request()->path(), '/');
+            if (count($currentQuery) > 0) {
+                $selfWithoutReturn .= '?' . \Illuminate\Support\Arr::query($currentQuery);
+            }
+        @endphp
+        <input type="hidden" name="return_url" value="{{ $selfWithoutReturn }}">
+        <div class="actions mb-12">
+            <select name="action"><option value="change_status">批量改状态</option><option value="change_category">批量改分类</option></select>
+            <select name="status"><option value="">选择状态（用于批量改状态）</option>@foreach($filterOptions['statuses'] as $status)<option value="{{ $statusLabels[$status] ?? $status }}">{{ $statusLabels[$status] ?? $status }}</option>@endforeach</select>
+            <select name="category_id"><option value="">清空分类 / 不指定（用于批量改分类）</option>@foreach($categories as $category)<option value="{{ $category->id }}">{{ $category->name }}</option>@endforeach</select>
+            <button type="submit">执行批量操作</button>
+        </div>
+    </form>
     <p class="muted muted-tight">批量操作只会作用于当前登录商家可见商品，越权或已删除数据会被拦截。</p>
     <table>
         <thead><tr><th><input type="checkbox" data-check-all="merchant-products"></th><th>ID</th><th>标题</th><th>分类</th><th>SKU</th><th>售价/原价</th><th>库存</th><th>创建时间</th><th>更新时间</th><th>状态</th><th>操作</th></tr></thead>