solidusio · elia · Sep 21, 2023 · Sep 19, 2023 · Sep 20, 2023 · Sep 20, 2023
@@ -58,7 +58,7 @@
       <% end %>
     </li>
     <li class="h-8 flex items-center hover:bg-gray-25 rounded">
-      <%= link_to @logout_path, method: @logout_method, class: 'flex gap-2 items-center px-2' do %>
+      <%= button_to @logout_path, method: @logout_method, class: 'flex gap-2 items-center px-2' do %>
         <%= icon_tag("logout-box-line", class: "w-5 h-5 fill-current shrink") %>
         <span><%= t('.logout') %></span>
       <% end %>

@@ -2,6 +2,8 @@
 
 module SolidusAdmin
   class AccountsController < SolidusAdmin::BaseController
+    skip_before_action :authorize_solidus_admin_user!
+
     def show
       redirect_to spree.edit_admin_user_path(current_solidus_admin_user)
     end

@@ -0,0 +1,26 @@
+# frozen_string_literal: true
+
+module SolidusAdmin::AuthenticationAdapters::Backend
+  extend ActiveSupport::Concern
+
+  included do
+    delegate :admin_logout_path, to: :spree
+    helper_method :admin_logout_path
+  end
+
+  private
+
+  def authenticate_solidus_backend_user!
+    return if spree_current_user
+
+    instance_exec(&Spree::Admin::BaseController.unauthorized_redirect)
+  end
+
+  def store_location
+    Spree::UserLastUrlStorer.new(self).store_location
+  end
+
+  def spree_current_user
+    defined?(super) ? super : nil
+  end
+end
@@ -8,10 +8,11 @@ class BaseController < ApplicationController
     include Spree::Core::ControllerHelpers::Store
     include GearedPagination::Controller
 
-    include SolidusAdmin::ControllerHelpers::Auth
+    include SolidusAdmin::ControllerHelpers::Authentication
+    include SolidusAdmin::ControllerHelpers::Authorization
     include SolidusAdmin::ControllerHelpers::Locale
     include SolidusAdmin::ComponentsHelper
-    include SolidusAdmin::AuthAdapters::Backend if defined?(Spree::Backend)
+    include SolidusAdmin::AuthenticationAdapters::Backend if defined?(Spree::Backend)
 
     layout 'solidus_admin/application'
     helper 'solidus_admin/components'

@@ -1,6 +1,6 @@
 # frozen_string_literal: true
 
-module SolidusAdmin::ControllerHelpers::Auth
+module SolidusAdmin::ControllerHelpers::Authentication
   extend ActiveSupport::Concern
 
   included do

@@ -0,0 +1,29 @@
+# frozen_string_literal: true
+
+module SolidusAdmin::ControllerHelpers::Authorization
+  extend ActiveSupport::Concern
+
+  included do
+    before_action :authorize_solidus_admin_user!
+  end
+
+  private
+
+  def current_ability
+    @current_ability ||= Spree::Ability.new(current_solidus_admin_user)
+  end
+
+  def authorize_solidus_admin_user!
+    subject = authorization_subject
+
+    authorize! :admin, subject
+    authorize! action_name, subject
+  end
+
+  def authorization_subject
+    "Spree::#{controller_name.classify}".constantize
+  rescue NameError
+    raise NotImplementedError, "Couldn't infer the model class from the controller name, " \
+      "please implement `#{self.class}#authorization_subject`."
+  end
+end
@@ -27,7 +27,7 @@ module ControllerHelper
     extend ActiveSupport::Concern
 
     included do
-      include SolidusAdmin::ControllerHelpers::Auth
+      include SolidusAdmin::ControllerHelpers::Authentication
       helper ActionView::Helpers
       helper SolidusAdmin::ComponentsHelper
       helper_method :current_component

@@ -22,8 +22,10 @@
 
       # Links are hidden within a <details> element
       expect(page).to have_link("Account", href: "/admin/account", visible: :any)
-      expect(page).to have_link("Logout", href: "/admin/logout", visible: :any)
-      expect(page.find_link("Logout", visible: :any)["data-method"]).to eq("delete")
+      within('form[action="/admin/logout"]') do
+        expect(page).to have_button("Logout", visible: :any)
+        expect(page).to have_css('input[type="hidden"][name="_method"][value="delete"]')
+      end
     end
   end
 end