From a6171dc13b8d0854dbfb32739415a730b99c76a4 Mon Sep 17 00:00:00 2001
From: FloWalchs <florian.walchshofer@icloud.com>
Date: Thu, 14 May 2026 21:14:26 +0000
Subject: [PATCH] 0004-Validate-back-url-in-user-removal-confirmation-flow

---
 app/controllers/groups_controller.rb | 5 ++++-
 app/views/groups/remove_users.erb    | 3 ++-
 2 files changed, 6 insertions(+), 2 deletions(-)

diff --git a/app/controllers/groups_controller.rb b/app/controllers/groups_controller.rb
index ef7cc99c0..69f3cc77a 100644
--- a/app/controllers/groups_controller.rb
+++ b/app/controllers/groups_controller.rb
@@ -117,7 +117,10 @@ class GroupsController < ApplicationController
     @users = User.not_in_group(@group).where(:id => (params[:user_id] || params[:user_ids])).to_a
     @group.users << @users
     respond_to do |format|
-      format.html {redirect_back_or_default edit_group_path(@group, :tab => 'users')}
+      format.html do
+        flash[:notice] = l(:notice_successful_update)
+        redirect_back_or_default edit_group_path(@group, :tab => 'users')
+      end
       format.js
       format.api do
         if @users.any?
diff --git a/app/views/groups/remove_users.erb b/app/views/groups/remove_users.erb
index 3d1497681..62fe98b72 100644
--- a/app/views/groups/remove_users.erb
+++ b/app/views/groups/remove_users.erb
@@ -1,6 +1,7 @@
 <%= title l(:label_confirmation) %>
 
 <%= form_tag(group_users_path(@group, :user_ids => @users.map(&:id)), method: :delete) do %>
+  <%= back_url_hidden_field_tag %>
   <div class="warning">
     <p><%= simple_format l :text_users_remove_from_group_confirmation, group: "<strong>#{@group.name}</strong>".html_safe %></p>
 
@@ -15,6 +16,6 @@
 
   <p>
     <%= submit_tag l(:button_delete) %>
-    <%= link_to l(:button_cancel), @back_url || users_path %>
+    <%= cancel_button_tag(users_path) %>
   </p>
 <% end %>
-- 
2.43.0