up

src/auth/login.php

@@ -132,20 +132,44 @@ $_SESSION['user'] = [
 ];
 
 /* ---------------------------------------------------------
-   FLASH & REDIRECT
+   FLASH & SMART REDIRECT
 --------------------------------------------------------- */
 
 flash_set('success', 'Willkommen zurück, ' . ($user['first_name'] ?: 'User') . '!', 'login');
 
-// Redirect absichern: nur interne Pfade
-$target = is_string($redirect) ? trim($redirect) : '/';
-if ($target === '' || !str_starts_with($target, '/')) {
-    $target = '/';
+// redirect normalisieren
+$redirect = trim((string)($redirect ?? ''));
+
+// Flag: sollen wir stattdessen aufs Dashboard?
+$goDashboard = false;
+
+// 1) redirect leer → Dashboard
+if ($redirect === '') {
+    $goDashboard = true;
 }
 
-// Sprache anhängen
-$sep    = (strpos($target, '?') === false) ? '?' : '&';
-$target = $target . $sep . 'lang=' . urlencode($lang);
+// 2) redirect zeigt auf /login → Dashboard (Endlosschleife vermeiden)
+if (!$goDashboard && preg_match('#^/login(/|\?|$)#i', $redirect)) {
+    $goDashboard = true;
+}
+
+// 3) redirect ist keine interne URL → Dashboard (Sicherheit!)
+if (!$goDashboard && strpos($redirect, '/') !== 0) {
+    $goDashboard = true;
+}
+
+// 4) Finales Ziel bestimmen
+if ($goDashboard) {
+    // Immer Dashboard-Seite
+    $target = '/dashboard/?lang=' . urlencode($lang);
+} else {
+    // Internes Ziel, Sprache anhängen falls noch nicht vorhanden
+    if (strpos($redirect, 'lang=') === false) {
+        $sep      = (strpos($redirect, '?') === false) ? '?' : '&';
+        $redirect = $redirect . $sep . 'lang=' . urlencode($lang);
+    }
+    $target = $redirect;
+}
 
 header('Location: ' . $target);
 exit;