From dca1907e845f84893f257ccaaa5c240e56be04d0 Mon Sep 17 00:00:00 2001
From: Rainer Dema <rainer.dema@gmail.com>
Date: Fri, 6 Oct 2023 17:48:14 +0200
Subject: [PATCH] Refactor unauthorized access handling in SolidusAdmin

Enhance the SolidusAdmin authorization mechanism to improve user
experience during unauthorized access attempts. Now, instead of
previous behavior, users are redirected to a dedicated unauthorized
page when attempting to access a resource for which they do not have
permission.
---
 .../controller_helpers/authorization.rb            |  4 ++++
 .../views/solidus_admin/base/unauthorized.html.erb |  4 ++++
 admin/config/locales/errors.en.yml                 |  7 +++++++
 .../solidus_admin/base_controller_spec.rb          | 14 +++++++++++++-
 4 files changed, 28 insertions(+), 1 deletion(-)
 create mode 100644 admin/app/views/solidus_admin/base/unauthorized.html.erb
 create mode 100644 admin/config/locales/errors.en.yml

diff --git a/admin/app/controllers/solidus_admin/controller_helpers/authorization.rb b/admin/app/controllers/solidus_admin/controller_helpers/authorization.rb
index ce62d298f25..f067f0751a3 100644
--- a/admin/app/controllers/solidus_admin/controller_helpers/authorization.rb
+++ b/admin/app/controllers/solidus_admin/controller_helpers/authorization.rb
@@ -5,6 +5,10 @@ module SolidusAdmin::ControllerHelpers::Authorization
 
   included do
     before_action :authorize_solidus_admin_user!
+
+    rescue_from CanCan::AccessDenied do
+      render 'unauthorized', status: :forbidden
+    end
   end
 
   private
diff --git a/admin/app/views/solidus_admin/base/unauthorized.html.erb b/admin/app/views/solidus_admin/base/unauthorized.html.erb
new file mode 100644
index 00000000000..b47118192b0
--- /dev/null
+++ b/admin/app/views/solidus_admin/base/unauthorized.html.erb
@@ -0,0 +1,4 @@
+<div class="p-4">
+  <h1 class="text-3xl font-semibold text-solidusRed mb-4"><%= t('solidus_admin.errors.authorization.access_denied.title') %></h1>
+  <p class="text-lg text-gray-700"><%= t('solidus_admin.errors.authorization.access_denied.description') %></p>
+</div>
diff --git a/admin/config/locales/errors.en.yml b/admin/config/locales/errors.en.yml
new file mode 100644
index 00000000000..bf22b801c75
--- /dev/null
+++ b/admin/config/locales/errors.en.yml
@@ -0,0 +1,7 @@
+en:
+  solidus_admin:
+    errors:
+      authorization:
+        access_denied:
+          title: "Access Denied"
+          description: "You are not authorized to access this page."
diff --git a/admin/spec/controllers/solidus_admin/base_controller_spec.rb b/admin/spec/controllers/solidus_admin/base_controller_spec.rb
index fbab33fa0af..b7bb5f8fc52 100644
--- a/admin/spec/controllers/solidus_admin/base_controller_spec.rb
+++ b/admin/spec/controllers/solidus_admin/base_controller_spec.rb
@@ -15,10 +15,22 @@ def index
       allow_any_instance_of(SolidusAdmin::BaseController).to receive(:spree_current_user).and_return(nil)
     end
 
-    it "redirects to unauthorized" do
+    it "redirects to unauthorized for no user" do
       get :index
       expect(response).to redirect_to '/unauthorized'
     end
+
+    context "with a user without update permission" do
+      before do
+        user = create(:user, email: 'user@example.com')
+        allow_any_instance_of(SolidusAdmin::BaseController).to receive(:spree_current_user).and_return(user)
+      end
+
+      it "redirects to unauthorized" do
+        get :index
+        expect(response).to have_http_status(:forbidden)
+      end
+    end
   end
 
   context "successful request" do