diff --git a/admin/app/controllers/solidus_admin/controller_helpers/authorization.rb b/admin/app/controllers/solidus_admin/controller_helpers/authorization.rb index c0a1d970dce..f067f0751a3 100644 --- a/admin/app/controllers/solidus_admin/controller_helpers/authorization.rb +++ b/admin/app/controllers/solidus_admin/controller_helpers/authorization.rb @@ -5,6 +5,10 @@ module SolidusAdmin::ControllerHelpers::Authorization included do before_action :authorize_solidus_admin_user! + + rescue_from CanCan::AccessDenied do + render 'unauthorized', status: :forbidden + end end private @@ -17,7 +21,7 @@ def authorize_solidus_admin_user! subject = authorization_subject authorize! :admin, subject - authorize! action_name, subject + authorize! action_name.to_sym, subject end def authorization_subject diff --git a/admin/app/views/solidus_admin/base/unauthorized.html.erb b/admin/app/views/solidus_admin/base/unauthorized.html.erb new file mode 100644 index 00000000000..b47118192b0 --- /dev/null +++ b/admin/app/views/solidus_admin/base/unauthorized.html.erb @@ -0,0 +1,4 @@ +
+

<%= t('solidus_admin.errors.authorization.access_denied.title') %>

+

<%= t('solidus_admin.errors.authorization.access_denied.description') %>

+
diff --git a/admin/config/locales/errors.en.yml b/admin/config/locales/errors.en.yml new file mode 100644 index 00000000000..bf22b801c75 --- /dev/null +++ b/admin/config/locales/errors.en.yml @@ -0,0 +1,7 @@ +en: + solidus_admin: + errors: + authorization: + access_denied: + title: "Access Denied" + description: "You are not authorized to access this page." diff --git a/admin/spec/controllers/solidus_admin/base_controller_spec.rb b/admin/spec/controllers/solidus_admin/base_controller_spec.rb index fbab33fa0af..b7bb5f8fc52 100644 --- a/admin/spec/controllers/solidus_admin/base_controller_spec.rb +++ b/admin/spec/controllers/solidus_admin/base_controller_spec.rb @@ -15,10 +15,22 @@ def index allow_any_instance_of(SolidusAdmin::BaseController).to receive(:spree_current_user).and_return(nil) end - it "redirects to unauthorized" do + it "redirects to unauthorized for no user" do get :index expect(response).to redirect_to '/unauthorized' end + + context "with a user without update permission" do + before do + user = create(:user, email: 'user@example.com') + allow_any_instance_of(SolidusAdmin::BaseController).to receive(:spree_current_user).and_return(user) + end + + it "redirects to unauthorized" do + get :index + expect(response).to have_http_status(:forbidden) + end + end end context "successful request" do