How to prevent force_ssl from destroying params in redirect?

I have the following route:

resources :widgets do
 开发者_开发问答 resources :orders
end

so that a request, e.g. to /widgets/1/orders/new goes to OrderController, which can access params[:widget_id] to know which widget is being purchased.

The problem is this: I use force_ssl in OrderController. This is causing requests for:

http://www.example.com/widgets/1/orders/new

to be redirected (302) to:

https://www.example.com/

In other words, force_ssl is doing its job (redirecting to https protocol version of URL), but is destroying the parameters specified by the dynamic segment of the route in the process. How can I prevent this from happening (preferable) or work around it in the least offensive way?

Note that this is hosted on Heroku, and so e.g. an Apache redirect won't work for me.

I believe the default behavior of force_ssl is to pass parameters from the non-secure connection to the secure connection. If this is not the behaviour you want, you could try to override the force_ssl function by adding an initializer like that:

#
# Pass parameters in SSL redirects
#
module ActionController
  module ForceSSL
    module ClassMethods
      def force_ssl(options = {})
        host = options.delete(:host)
        before_filter(options) do
          if !request.ssl? && !Rails.env.development?

            secure_params = request.params.clone
            [:only, :except, :protocol, :status, :host].each {|s| secure_params.delete(s)}

            redirect_options = {:protocol => 'https://', :status => :moved_permanently}
            redirect_options.merge!(:host => host) if host
            redirect_to redirect_options.merge(secure_params)
          end
        end

      end
    end
  end
end