Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[admin] Separate authorization from authentication #5390

Merged
merged 3 commits into from
Sep 21, 2023
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
Original file line number Diff line number Diff line change
Expand Up @@ -58,7 +58,7 @@
<% end %>
</li>
<li class="h-8 flex items-center hover:bg-gray-25 rounded">
<%= link_to @logout_path, method: @logout_method, class: 'flex gap-2 items-center px-2' do %>
<%= button_to @logout_path, method: @logout_method, class: 'flex gap-2 items-center px-2' do %>
<%= icon_tag("logout-box-line", class: "w-5 h-5 fill-current shrink") %>
<span><%= t('.logout') %></span>
<% end %>
Expand Down
2 changes: 2 additions & 0 deletions admin/app/controllers/solidus_admin/accounts_controller.rb
Original file line number Diff line number Diff line change
Expand Up @@ -2,6 +2,8 @@

module SolidusAdmin
class AccountsController < SolidusAdmin::BaseController
skip_before_action :authorize_solidus_admin_user!

def show
redirect_to spree.edit_admin_user_path(current_solidus_admin_user)
end
Expand Down
37 changes: 0 additions & 37 deletions admin/app/controllers/solidus_admin/auth_adapters/backend.rb

This file was deleted.

Original file line number Diff line number Diff line change
@@ -0,0 +1,26 @@
# frozen_string_literal: true

module SolidusAdmin::AuthenticationAdapters::Backend
extend ActiveSupport::Concern

included do
delegate :admin_logout_path, to: :spree
helper_method :admin_logout_path
end

private

def authenticate_solidus_backend_user!
return if spree_current_user

instance_exec(&Spree::Admin::BaseController.unauthorized_redirect)
end

def store_location
Spree::UserLastUrlStorer.new(self).store_location
end

def spree_current_user
defined?(super) ? super : nil
end
end
5 changes: 3 additions & 2 deletions admin/app/controllers/solidus_admin/base_controller.rb
Original file line number Diff line number Diff line change
Expand Up @@ -8,10 +8,11 @@ class BaseController < ApplicationController
include Spree::Core::ControllerHelpers::Store
include GearedPagination::Controller

include SolidusAdmin::ControllerHelpers::Auth
include SolidusAdmin::ControllerHelpers::Authentication
include SolidusAdmin::ControllerHelpers::Authorization
include SolidusAdmin::ControllerHelpers::Locale
include SolidusAdmin::ComponentsHelper
include SolidusAdmin::AuthAdapters::Backend if defined?(Spree::Backend)
include SolidusAdmin::AuthenticationAdapters::Backend if defined?(Spree::Backend)

layout 'solidus_admin/application'
helper 'solidus_admin/components'
Expand Down
Original file line number Diff line number Diff line change
@@ -1,6 +1,6 @@
# frozen_string_literal: true

module SolidusAdmin::ControllerHelpers::Auth
module SolidusAdmin::ControllerHelpers::Authentication
extend ActiveSupport::Concern

included do
Expand Down
Original file line number Diff line number Diff line change
@@ -0,0 +1,29 @@
# frozen_string_literal: true

module SolidusAdmin::ControllerHelpers::Authorization
extend ActiveSupport::Concern

included do
before_action :authorize_solidus_admin_user!
end

private

def current_ability
@current_ability ||= Spree::Ability.new(current_solidus_admin_user)
end

def authorize_solidus_admin_user!
subject = authorization_subject

authorize! :admin, subject
authorize! action_name, subject
end

def authorization_subject
"Spree::#{controller_name.classify}".constantize
rescue NameError
raise NotImplementedError, "Couldn't infer the model class from the controller name, " \
"please implement `#{self.class}#authorization_subject`."
end
end
2 changes: 1 addition & 1 deletion admin/lib/solidus_admin/preview.rb
Original file line number Diff line number Diff line change
Expand Up @@ -27,7 +27,7 @@ module ControllerHelper
extend ActiveSupport::Concern

included do
include SolidusAdmin::ControllerHelpers::Auth
include SolidusAdmin::ControllerHelpers::Authentication
helper ActionView::Helpers
helper SolidusAdmin::ComponentsHelper
helper_method :current_component
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -22,8 +22,10 @@

# Links are hidden within a <details> element
expect(page).to have_link("Account", href: "/admin/account", visible: :any)
expect(page).to have_link("Logout", href: "/admin/logout", visible: :any)
expect(page.find_link("Logout", visible: :any)["data-method"]).to eq("delete")
within('form[action="/admin/logout"]') do
expect(page).to have_button("Logout", visible: :any)
expect(page).to have_css('input[type="hidden"][name="_method"][value="delete"]')
end
end
end
end