Add configurable unauthorized path (#2522)

When a user is logged in and requests a page she does not have access to in the admin panel, she becomes redirected to "/" which was hardcoded.
AlchemyCMS · Jul 31, 2023 · 1ab7340 · 1ab7340
1 parent cc6dc0f
commit 1ab7340
Show file tree

Hide file tree

Showing 5 changed files with 46 additions and 2 deletions.
diff --git a/README.md b/README.md
@@ -146,6 +146,7 @@ Alchemy.signup_path         = '/your/signup/path'      # Defaults to '/signup'
 Alchemy.login_path          = '/your/login/path'       # Defaults to '/login'
 Alchemy.logout_path         = '/your/logout/path'      # Defaults to '/logout'
 Alchemy.logout_method       = 'http_verb_for_logout'   # Defaults to 'delete'
+Alchemy.unauthorized_path   = '/some/public/page'      # Defaults to '/'
 ```
 
 The only thing Alchemy needs to know from your user class is the `alchemy_roles` method.

diff --git a/app/controllers/alchemy/base_controller.rb b/app/controllers/alchemy/base_controller.rb
@@ -65,7 +65,7 @@ def handle_redirect_for_user
       if can?(:index, :alchemy_admin_dashboard)
         redirect_or_render_notice
       else
-        redirect_to("/")
+        redirect_to Alchemy.unauthorized_path
       end
     end
 

diff --git a/lib/alchemy/auth_accessors.rb b/lib/alchemy/auth_accessors.rb
@@ -11,6 +11,7 @@
 # +Alchemy.login_path defaults to +'/login'+
 # +Alchemy.logout_path defaults to +'/logout'+
 # +Alchemy.logout_method defaults to +'delete'+
+# +Alchemy.unauthorized_path defaults to +'/'+
 #
 # Anyway, you can tell Alchemy about your authentication model configuration:
 #
@@ -22,6 +23,7 @@
 #   5. The path to the login form - @see: Alchemy.login_path
 #   6. The path to the logout method - @see: Alchemy.logout_path
 #   7. The http verb for the logout method - @see: Alchemy.logout_method
+#   8. The path to the page showing the user she's unauthorized - @see: Alchemy.unauthorized_path
 #
 # == Example
 #
@@ -33,6 +35,7 @@
 #     Alchemy.login_path = '/auth/login'
 #     Alchemy.logout_path = '/auth/logout'
 #     Alchemy.logout_method = 'get'
+#     Alchemy.unauthorized_path = '/home'
 #
 # If you don't have your own user model or don't want to provide one,
 # add the `alchemy-devise` gem into your App's Gemfile.
@@ -49,7 +52,8 @@ module Alchemy
     :signup_path,
     :login_path,
     :logout_path,
-    :logout_method
+    :logout_method,
+    :unauthorized_path
 
   # Defaults
   #
@@ -60,6 +64,7 @@ module Alchemy
   @@login_path = "/login"
   @@logout_path = "/logout"
   @@logout_method = "delete"
+  @@unauthorized_path = "/"
 
   # Returns the user class
   #

diff --git a/spec/controllers/alchemy/admin/base_controller_spec.rb b/spec/controllers/alchemy/admin/base_controller_spec.rb
@@ -57,6 +57,25 @@
     end
   end
 
+  describe "#permission_denied" do
+    context "when called with an AccessDenied exception" do
+      before do
+        allow(controller).to receive(:redirect_to)
+      end
+
+      it "redirects to login_path if no user" do
+        controller.send(:permission_denied, CanCan::AccessDenied.new)
+        expect(controller).to have_received(:redirect_to).with(Alchemy.login_path)
+      end
+
+      it "redirects to unauthorized_path for a logged in user" do
+        authorize_user(build(:alchemy_dummy_user))
+        controller.send(:permission_denied, CanCan::AccessDenied.new)
+        expect(controller).to have_received(:redirect_to).with(Alchemy.unauthorized_path)
+      end
+    end
+  end
+
   context "when current_alchemy_user is present" do
     let!(:page_1) { create(:alchemy_page, name: "Page 1") }
     let!(:page_2) { create(:alchemy_page, name: "Page 2") }

diff --git a/spec/controllers/alchemy/base_controller_spec.rb b/spec/controllers/alchemy/base_controller_spec.rb
@@ -34,6 +34,25 @@ module Alchemy
       end
     end
 
+    describe "#permission_denied" do
+      context "when called with an AccessDenied exception" do
+        before do
+          allow(controller).to receive(:redirect_to)
+        end
+
+        it "redirects to login_path if no user" do
+          controller.send(:permission_denied, CanCan::AccessDenied.new)
+          expect(controller).to have_received(:redirect_to).with(Alchemy.login_path)
+        end
+
+        it "redirects to unauthorized_path for a logged in user" do
+          authorize_user(build(:alchemy_dummy_user))
+          controller.send(:permission_denied, CanCan::AccessDenied.new)
+          expect(controller).to have_received(:redirect_to).with(Alchemy.unauthorized_path)
+        end
+      end
+    end
+
     describe "#multi_language?" do
       subject { controller.multi_language? }