From 00db22abdb4bce37f41071f534719caa4ac3dc0c Mon Sep 17 00:00:00 2001
From: Kijin Sung <kijin@kijinsung.com>
Date: Tue, 30 Jan 2024 21:37:43 +0900
Subject: [PATCH] Fix #2288 allow redirect after logout, only if the target URL
 is internal

---
 modules/member/member.controller.php | 15 ++++++++++++---
 modules/member/member.view.php       | 11 +++++++++--
 2 files changed, 21 insertions(+), 5 deletions(-)

diff --git a/modules/member/member.controller.php b/modules/member/member.controller.php
index 5d2e78671..e6411431b 100644
--- a/modules/member/member.controller.php
+++ b/modules/member/member.controller.php
@@ -134,11 +134,20 @@ class MemberController extends Member
 		// If a device key is present, unregister it.
 		Rhymix\Modules\Member\Controllers\Device::getInstance()->autoUnregisterDevice($logged_info->member_srl);
 
+		// Set redirect URL.
 		$output = new BaseObject();
-		$config = ModuleModel::getModuleConfig('member');
-		if($config->after_logout_url)
+		$redirect_url = Context::get('redirect_url');
+		if ($redirect_url && Rhymix\Framework\URL::isInternalURL($redirect_url))
 		{
-			$output->redirect_url = $config->after_logout_url;
+			$output->redirect_url = $redirect_url;
+		}
+		else
+		{
+			$config = ModuleModel::getModuleConfig('member');
+			if($config->after_logout_url)
+			{
+				$output->redirect_url = $config->after_logout_url;
+			}
 		}
 		return $output;
 	}
diff --git a/modules/member/member.view.php b/modules/member/member.view.php
index 06cca3162..882f786ac 100644
--- a/modules/member/member.view.php
+++ b/modules/member/member.view.php
@@ -897,12 +897,19 @@ class MemberView extends Member
 		// Redirect if not logged in.
 		if(!Context::get('is_logged'))
 		{
-			$this->setRedirectUrl(getNotEncodedUrl('act', ''));
+			$this->setRedirectUrl(getNotEncodedUrl('act', '', 'redirect_url', ''));
 			return;
 		}
 
 		$output = MemberController::getInstance()->procMemberLogout();
-		$this->setRedirectUrl(isset($output->redirect_url) ? $output->redirect_url : getNotEncodedUrl('act', ''));
+		if (!empty($output->redirect_url))
+		{
+			$this->setRedirectUrl($output->redirect_url);
+		}
+		else
+		{
+			$this->setRedirectUrl(getNotEncodedUrl('act', '', 'redirect_url', ''));
+		}
 	}
 
 	/**