--- /home/ching/liferay/lps523/portal-web/docroot/html/portlet/enterprise_admin/edit_user.jsp	2009-05-14 11:37:58.000000000 +0800
+++ /home/ching/liferay/lps523/tomcat-6.0.18/webapps/ROOT/html/portlet/enterprise_admin/edit_user.jsp	2009-09-07 15:53:48.000000000 +0800
@@ -30,6 +30,40 @@
 String redirect = ParamUtil.getString(request, "redirect");
 String backURL = ParamUtil.getString(request, "backURL", redirect);
 
+//shepherd.ching 2009-09-07 start
+if (Validator.isNotNull(backURL) && HttpUtil.hasDomain(backURL)) {
+	try {
+		String securityMode = PropsValues.REFERER_URL_SECURITY_MODE;
+
+		String domain = StringUtil.split(HttpUtil.getDomain(backURL), StringPool.COLON)[0];
+
+		if (securityMode.equals("domain")) {
+			String[] allowedDomains = PropsValues.REFERER_URL_DOMAINS_ALLOWED;
+
+			if ((allowedDomains.length > 0) && !ArrayUtil.contains(allowedDomains, domain)) {
+				backURL = null;
+			}
+		}
+		else if (securityMode.equals("ip")) {
+			String[] allowedIps = PropsValues.REFERER_URL_IPS_ALLOWED;
+
+			String serverIp = request.getServerName();
+
+			InetAddress inetAddress = InetAddress.getByName(domain);
+
+			if ((allowedIps.length > 0) && !ArrayUtil.contains(allowedIps, inetAddress.getHostAddress())) {
+				if (!serverIp.equals(inetAddress.getHostAddress()) || !ArrayUtil.contains(allowedIps, "SERVER_IP")) {
+					backURL = null;
+				}
+			}
+		}
+	}
+	catch (UnknownHostException uhe) {
+		backURL = null;
+	}
+}
+//shepherd.ching 2009-09-07 end
+
 User selUser = PortalUtil.getSelectedUser(request);
 
 Contact selContact = null;
@@ -297,4 +331,4 @@
 
 <%!
 private static String[] _CATEGORY_NAMES = {"user-information", "identification", "miscellaneous"};
-%>
\ No newline at end of file
+%>