Skip to content

Commit

Permalink
Merge pull request #5399 from nebulab/rainerd/fix/cancancan-action-na…
Browse files Browse the repository at this point in the history
…me-symbol

[Admin] Ensure `action_name` is passed as symbol for `cancancan` authorization
  • Loading branch information
rainerdema authored Oct 6, 2023
2 parents bd404fe + dca1907 commit 218cc43
Show file tree
Hide file tree
Showing 4 changed files with 29 additions and 2 deletions.
Original file line number Diff line number Diff line change
Expand Up @@ -5,6 +5,10 @@ module SolidusAdmin::ControllerHelpers::Authorization

included do
before_action :authorize_solidus_admin_user!

rescue_from CanCan::AccessDenied do
render 'unauthorized', status: :forbidden
end
end

private
Expand All @@ -17,7 +21,7 @@ def authorize_solidus_admin_user!
subject = authorization_subject

authorize! :admin, subject
authorize! action_name, subject
authorize! action_name.to_sym, subject
end

def authorization_subject
Expand Down
4 changes: 4 additions & 0 deletions admin/app/views/solidus_admin/base/unauthorized.html.erb
Original file line number Diff line number Diff line change
@@ -0,0 +1,4 @@
<div class="p-4">
<h1 class="text-3xl font-semibold text-solidusRed mb-4"><%= t('solidus_admin.errors.authorization.access_denied.title') %></h1>
<p class="text-lg text-gray-700"><%= t('solidus_admin.errors.authorization.access_denied.description') %></p>
</div>
7 changes: 7 additions & 0 deletions admin/config/locales/errors.en.yml
Original file line number Diff line number Diff line change
@@ -0,0 +1,7 @@
en:
solidus_admin:
errors:
authorization:
access_denied:
title: "Access Denied"
description: "You are not authorized to access this page."
14 changes: 13 additions & 1 deletion admin/spec/controllers/solidus_admin/base_controller_spec.rb
Original file line number Diff line number Diff line change
Expand Up @@ -15,10 +15,22 @@ def index
allow_any_instance_of(SolidusAdmin::BaseController).to receive(:spree_current_user).and_return(nil)
end

it "redirects to unauthorized" do
it "redirects to unauthorized for no user" do
get :index
expect(response).to redirect_to '/unauthorized'
end

context "with a user without update permission" do
before do
user = create(:user, email: '[email protected]')
allow_any_instance_of(SolidusAdmin::BaseController).to receive(:spree_current_user).and_return(user)
end

it "redirects to unauthorized" do
get :index
expect(response).to have_http_status(:forbidden)
end
end
end

context "successful request" do
Expand Down

0 comments on commit 218cc43

Please sign in to comment.