From f77cc91b831b3f73ff06278152f5decc3ccf3006 Mon Sep 17 00:00:00 2001
From: Andras Bacsai <5845193+andrasbacsai@users.noreply.github.com>
Date: Sun, 19 Apr 2026 11:55:36 +0200
Subject: [PATCH] refactor(admin): use named routes for admin index navigation

Replace Referer-based redirects in Admin Index back() and switchUser()
with named routes (admin.index and dashboard) for consistent navigation
behavior independent of the request header.

Add tests verifying back() returns to admin.index, switchUser routes to
the dashboard, and the Referer header is no longer consulted.
---
 app/Livewire/Admin/Index.php                  |  4 +-
 .../Feature/AdminAccessAuthorizationTest.php  | 47 +++++++++++++++++--
 2 files changed, 46 insertions(+), 5 deletions(-)

diff --git a/app/Livewire/Admin/Index.php b/app/Livewire/Admin/Index.php
index d1345e7bf..4d22047cc 100644
--- a/app/Livewire/Admin/Index.php
+++ b/app/Livewire/Admin/Index.php
@@ -37,7 +37,7 @@ public function back()
             Auth::login($user);
             refreshSession($team_to_switch_to);
 
-            return redirect(request()->header('Referer'));
+            return redirect()->route('admin.index');
         }
     }
 
@@ -70,7 +70,7 @@ public function switchUser(int $user_id)
         Auth::login($user);
         refreshSession($team_to_switch_to);
 
-        return redirect(request()->header('Referer'));
+        return redirect()->route('dashboard');
     }
 
     private function authorizeAdminAccess(): void
diff --git a/tests/Feature/AdminAccessAuthorizationTest.php b/tests/Feature/AdminAccessAuthorizationTest.php
index 4840bc4dd..97895ecda 100644
--- a/tests/Feature/AdminAccessAuthorizationTest.php
+++ b/tests/Feature/AdminAccessAuthorizationTest.php
@@ -1,6 +1,7 @@
 <?php
 
 use App\Livewire\Admin\Index as AdminIndex;
+use App\Models\InstanceSettings;
 use App\Models\Team;
 use App\Models\User;
 use Illuminate\Foundation\Testing\RefreshDatabase;
@@ -70,9 +71,9 @@
 test('switchUser requires root user id 0', function () {
     config()->set('constants.coolify.self_hosted', false);
 
-    $rootTeam = Team::find(0) ?? Team::factory()->create(['id' => 0]);
+    InstanceSettings::unguarded(fn () => InstanceSettings::query()->create(['id' => 0]));
     $rootUser = User::factory()->create(['id' => 0]);
-    $rootTeam->members()->attach($rootUser->id, ['role' => 'admin']);
+    $rootTeam = Team::find(0);
 
     $targetUser = User::factory()->create();
     $targetTeam = Team::factory()->create();
@@ -84,7 +85,47 @@
     Livewire::test(AdminIndex::class)
         ->assertOk()
         ->call('switchUser', $targetUser->id)
-        ->assertRedirect();
+        ->assertRedirect(route('dashboard'));
+});
+
+test('back() redirects impersonator to admin index and clears session', function () {
+    config()->set('constants.coolify.self_hosted', false);
+
+    InstanceSettings::unguarded(fn () => InstanceSettings::query()->create(['id' => 0]));
+    $rootUser = User::factory()->create(['id' => 0]);
+    $rootTeam = Team::find(0);
+
+    $this->actingAs($rootUser);
+    session([
+        'currentTeam' => ['id' => $rootTeam->id],
+        'impersonating' => true,
+    ]);
+
+    Livewire::test(AdminIndex::class)
+        ->call('back')
+        ->assertRedirect(route('admin.index'));
+
+    expect(session('impersonating'))->toBeNull();
+});
+
+test('switchUser ignores Referer header and uses dashboard route', function () {
+    config()->set('constants.coolify.self_hosted', false);
+
+    InstanceSettings::unguarded(fn () => InstanceSettings::query()->create(['id' => 0]));
+    $rootUser = User::factory()->create(['id' => 0]);
+    $rootTeam = Team::find(0);
+
+    $targetUser = User::factory()->create();
+    $targetTeam = Team::factory()->create();
+    $targetTeam->members()->attach($targetUser->id, ['role' => 'admin']);
+
+    $this->actingAs($rootUser);
+    session(['currentTeam' => ['id' => $rootTeam->id]]);
+
+    Livewire::withHeaders(['Referer' => 'https://example.com/elsewhere'])
+        ->test(AdminIndex::class)
+        ->call('switchUser', $targetUser->id)
+        ->assertRedirect(route('dashboard'));
 });
 
 test('switchUser rejects non-root user', function () {