<%args>
$form_action => undef
</%args>
<%init>
return unless RT->Config->Get("RestrictReferrer");
return unless $form_action and $form_action ne RT->Config->Get("WebPath");

# This isn't really CSRF, but the CSRF heuristics are useful for catching
# requests which may have unintended side-effects.
my ($is_csrf, $msg, @loc) = RT::Interface::Web::IsPossibleCSRF(\%ARGS);
return unless $is_csrf;

# REQUEST_URI includes query parameters, and *should* always be available
my $destination = $ENV{'REQUEST_URI'} || ($r->can("uri") ? $r->uri : $form_action);

$RT::Logger->notice(
    "Marking original destination as having side-effects before showing login form.\n"
   ."Request: $destination\n"
   ."Reason: " . loc($msg, @loc)
);

my $consequence = RT::Interface::Web::PotentialPageAction($destination) || loc("perform actions");
   $consequence = $m->interp->apply_escapes($consequence => "h");
</%init>
<div class="redirect-warning">
  <p>
    <&|/l&>After logging in you'll be sent to your original destination:</&>
    <tt title="<% $destination %>"><% $destination %></tt>
    <&|/l_unsafe, "<strong>$consequence</strong>" &>which may [_1] on your behalf.</&>
  </p>
  <p><&|/l&>If this is not what you expect, leave this page now without logging in.</&></p>
</div>
