diff --git a/admin/app/controllers/solidus_admin/controller_helpers/authorization.rb b/admin/app/controllers/solidus_admin/controller_helpers/authorization.rb
index c0a1d970dce..f067f0751a3 100644
--- a/admin/app/controllers/solidus_admin/controller_helpers/authorization.rb
+++ b/admin/app/controllers/solidus_admin/controller_helpers/authorization.rb
@@ -5,6 +5,10 @@ module SolidusAdmin::ControllerHelpers::Authorization
included do
before_action :authorize_solidus_admin_user!
+
+ rescue_from CanCan::AccessDenied do
+ render 'unauthorized', status: :forbidden
+ end
end
private
@@ -17,7 +21,7 @@ def authorize_solidus_admin_user!
subject = authorization_subject
authorize! :admin, subject
- authorize! action_name, subject
+ authorize! action_name.to_sym, subject
end
def authorization_subject
diff --git a/admin/app/views/solidus_admin/base/unauthorized.html.erb b/admin/app/views/solidus_admin/base/unauthorized.html.erb
new file mode 100644
index 00000000000..b47118192b0
--- /dev/null
+++ b/admin/app/views/solidus_admin/base/unauthorized.html.erb
@@ -0,0 +1,4 @@
+
+
<%= t('solidus_admin.errors.authorization.access_denied.title') %>
+
<%= t('solidus_admin.errors.authorization.access_denied.description') %>
+
diff --git a/admin/config/locales/errors.en.yml b/admin/config/locales/errors.en.yml
new file mode 100644
index 00000000000..bf22b801c75
--- /dev/null
+++ b/admin/config/locales/errors.en.yml
@@ -0,0 +1,7 @@
+en:
+ solidus_admin:
+ errors:
+ authorization:
+ access_denied:
+ title: "Access Denied"
+ description: "You are not authorized to access this page."
diff --git a/admin/spec/controllers/solidus_admin/base_controller_spec.rb b/admin/spec/controllers/solidus_admin/base_controller_spec.rb
index fbab33fa0af..b7bb5f8fc52 100644
--- a/admin/spec/controllers/solidus_admin/base_controller_spec.rb
+++ b/admin/spec/controllers/solidus_admin/base_controller_spec.rb
@@ -15,10 +15,22 @@ def index
allow_any_instance_of(SolidusAdmin::BaseController).to receive(:spree_current_user).and_return(nil)
end
- it "redirects to unauthorized" do
+ it "redirects to unauthorized for no user" do
get :index
expect(response).to redirect_to '/unauthorized'
end
+
+ context "with a user without update permission" do
+ before do
+ user = create(:user, email: 'user@example.com')
+ allow_any_instance_of(SolidusAdmin::BaseController).to receive(:spree_current_user).and_return(user)
+ end
+
+ it "redirects to unauthorized" do
+ get :index
+ expect(response).to have_http_status(:forbidden)
+ end
+ end
end
context "successful request" do