From aa0a4067c829fd4310af9bd74fdae5d431cb9e05 Mon Sep 17 00:00:00 2001
From: Rainer Dema <rainer.dema@gmail.com>
Date: Fri, 29 Sep 2023 18:46:38 +0200
Subject: [PATCH] Enhance SolidusAdmin authorization with improved redirect
 mechanism

In scenarios where a user attempts to access a resource, they are not authorized
to access, we now handle this by redirecting them to the old admin dashboard
as a fallback.

This approach serves as an interim solution. As we advance in decoupling the
new admin from the old one, we'll reassess and adjust this redirect method
to align better with the new system's structure.
---
 .../controller_helpers/authorization.rb            |  2 ++
 .../solidus_admin/base_controller_spec.rb          | 14 +++++++++++++-
 2 files changed, 15 insertions(+), 1 deletion(-)

diff --git a/admin/app/controllers/solidus_admin/controller_helpers/authorization.rb b/admin/app/controllers/solidus_admin/controller_helpers/authorization.rb
index ce62d298f25..f8ed367c96e 100644
--- a/admin/app/controllers/solidus_admin/controller_helpers/authorization.rb
+++ b/admin/app/controllers/solidus_admin/controller_helpers/authorization.rb
@@ -18,6 +18,8 @@ def authorize_solidus_admin_user!
 
     authorize! :admin, subject
     authorize! action_name.to_sym, subject
+  rescue CanCan::AccessDenied
+    instance_exec(&Spree::Admin::BaseController.unauthorized_redirect)
   end
 
   def authorization_subject
diff --git a/admin/spec/controllers/solidus_admin/base_controller_spec.rb b/admin/spec/controllers/solidus_admin/base_controller_spec.rb
index fbab33fa0af..9a67af3d08c 100644
--- a/admin/spec/controllers/solidus_admin/base_controller_spec.rb
+++ b/admin/spec/controllers/solidus_admin/base_controller_spec.rb
@@ -15,10 +15,22 @@ def index
       allow_any_instance_of(SolidusAdmin::BaseController).to receive(:spree_current_user).and_return(nil)
     end
 
-    it "redirects to unauthorized" do
+    it "redirects to unauthorized for no user" do
       get :index
       expect(response).to redirect_to '/unauthorized'
     end
+
+    context "with a user without update permission" do
+      before do
+        user = create(:user, email: 'user@example.com')
+        allow_any_instance_of(SolidusAdmin::BaseController).to receive(:spree_current_user).and_return(user)
+      end
+
+      it "redirects to unauthorized" do
+        get :index
+        expect(response).to redirect_to '/unauthorized'
+      end
+    end
   end
 
   context "successful request" do