From cef7d9e6cbc243d395ab75f8c29752bcb95848ad Mon Sep 17 00:00:00 2001 From: Rainer Dema Date: Fri, 29 Sep 2023 12:32:03 +0200 Subject: [PATCH 1/2] Convert action_name to symbol for CanCanCan authorization Fix CanCanCan authorization by converting action_name to symbol. In the context of implementing permissions in the Solidus Demo, we identified that `action_name` in string format doesn't align with CanCanCan's `authorize!` method expectations. It needs to be in symbol format to be processed correctly. This change ensures our authorization logic functions as intended also for the new solidus admin views. --- .../solidus_admin/controller_helpers/authorization.rb | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/admin/app/controllers/solidus_admin/controller_helpers/authorization.rb b/admin/app/controllers/solidus_admin/controller_helpers/authorization.rb index c0a1d970dce..ce62d298f25 100644 --- a/admin/app/controllers/solidus_admin/controller_helpers/authorization.rb +++ b/admin/app/controllers/solidus_admin/controller_helpers/authorization.rb @@ -17,7 +17,7 @@ def authorize_solidus_admin_user! subject = authorization_subject authorize! :admin, subject - authorize! action_name, subject + authorize! action_name.to_sym, subject end def authorization_subject From dca1907e845f84893f257ccaaa5c240e56be04d0 Mon Sep 17 00:00:00 2001 From: Rainer Dema Date: Fri, 6 Oct 2023 17:48:14 +0200 Subject: [PATCH 2/2] Refactor unauthorized access handling in SolidusAdmin Enhance the SolidusAdmin authorization mechanism to improve user experience during unauthorized access attempts. Now, instead of previous behavior, users are redirected to a dedicated unauthorized page when attempting to access a resource for which they do not have permission. --- .../controller_helpers/authorization.rb | 4 ++++ .../views/solidus_admin/base/unauthorized.html.erb | 4 ++++ admin/config/locales/errors.en.yml | 7 +++++++ .../solidus_admin/base_controller_spec.rb | 14 +++++++++++++- 4 files changed, 28 insertions(+), 1 deletion(-) create mode 100644 admin/app/views/solidus_admin/base/unauthorized.html.erb create mode 100644 admin/config/locales/errors.en.yml diff --git a/admin/app/controllers/solidus_admin/controller_helpers/authorization.rb b/admin/app/controllers/solidus_admin/controller_helpers/authorization.rb index ce62d298f25..f067f0751a3 100644 --- a/admin/app/controllers/solidus_admin/controller_helpers/authorization.rb +++ b/admin/app/controllers/solidus_admin/controller_helpers/authorization.rb @@ -5,6 +5,10 @@ module SolidusAdmin::ControllerHelpers::Authorization included do before_action :authorize_solidus_admin_user! + + rescue_from CanCan::AccessDenied do + render 'unauthorized', status: :forbidden + end end private diff --git a/admin/app/views/solidus_admin/base/unauthorized.html.erb b/admin/app/views/solidus_admin/base/unauthorized.html.erb new file mode 100644 index 00000000000..b47118192b0 --- /dev/null +++ b/admin/app/views/solidus_admin/base/unauthorized.html.erb @@ -0,0 +1,4 @@ +
+

<%= t('solidus_admin.errors.authorization.access_denied.title') %>

+

<%= t('solidus_admin.errors.authorization.access_denied.description') %>

+
diff --git a/admin/config/locales/errors.en.yml b/admin/config/locales/errors.en.yml new file mode 100644 index 00000000000..bf22b801c75 --- /dev/null +++ b/admin/config/locales/errors.en.yml @@ -0,0 +1,7 @@ +en: + solidus_admin: + errors: + authorization: + access_denied: + title: "Access Denied" + description: "You are not authorized to access this page." diff --git a/admin/spec/controllers/solidus_admin/base_controller_spec.rb b/admin/spec/controllers/solidus_admin/base_controller_spec.rb index fbab33fa0af..b7bb5f8fc52 100644 --- a/admin/spec/controllers/solidus_admin/base_controller_spec.rb +++ b/admin/spec/controllers/solidus_admin/base_controller_spec.rb @@ -15,10 +15,22 @@ def index allow_any_instance_of(SolidusAdmin::BaseController).to receive(:spree_current_user).and_return(nil) end - it "redirects to unauthorized" do + it "redirects to unauthorized for no user" do get :index expect(response).to redirect_to '/unauthorized' end + + context "with a user without update permission" do + before do + user = create(:user, email: 'user@example.com') + allow_any_instance_of(SolidusAdmin::BaseController).to receive(:spree_current_user).and_return(user) + end + + it "redirects to unauthorized" do + get :index + expect(response).to have_http_status(:forbidden) + end + end end context "successful request" do