How does the redirect work after registration?

Question

1) I am puzzled how the redirect works after registration. I am talking about

           qa_set_logged_in_user($userid, $inhandle);

           $topath = qa_get('to');

            if (isset($topath))
                qa_redirect_raw(qa_path_to_root().$topath); // path already provided as URL fragment
            else
                 qa_redirect('');

Due to my tests, as I understood, $topath is setted and it is redirected to the " path already provided as URL fragment". However, how this path is provided is not clear to me. I am really sorry if this is a stupid question, but I tracked down the system and I was not able to find out how the url fragment is provided.

2) In what situations $topath could not be setted.

3) It seems that I could redirect it to somewhere such as replacing  "qa_redirect_raw(qa_path_to_root().$topath);" by "qa_redirect('account')". Could this cause any problem?

 

Answer 1

1 and 2) Logout. Go to the activity page. Try to perform a vote. You won't be able to and a login/register form error will pop up. Click on register. You will be redirected to the register page with the to set with the value activity: http://yoursite.com/register?to=activity

Now, go to the activity page again by clicking on the All activity menu item. The URL will be http://yoursite.com/register . So the to is a value set to redirect the user if they hadn't clicked on the register button directly. As it is part of the URL it needs to be set somewhere outside the registration form itself.

3) That should be fine. I think there is a redirect raw there because qa_redirect is (in most cases) used to redirect to pages managed by the core or plugins. The redirect raw would allow you to redirect the user to custom pages in the server that might not be managed by Q2A itself. But I'm just guessing :)

Comments

In addition, when you go to /login?to=whatever then the login form on the page points to /login?to=whatever. That's how to $topath variable gets set (from a technical view).

For #3, theoretically if you have some script (in the Q2A folder) that ran on load, you could make a user run that by linking them to `/login?to=somescript.php`. But then you could just link them directly to the script so that's irrelevant (and you shouldn't have scripts that do destructive things just by loading the URL!). There's no way for it to redirect you to a completely different website.