Skip to content

Commit

Permalink
When a controller action fails to be autorized, redirect back if a re…
Browse files Browse the repository at this point in the history
…ferrer is present or redirect to /unauthorized
  • Loading branch information
genarorg authored and kennyadsl committed Jun 16, 2020
1 parent a77df8a commit 4a3ac73
Show file tree
Hide file tree
Showing 2 changed files with 21 additions and 2 deletions.
4 changes: 2 additions & 2 deletions core/lib/spree/core/controller_helpers/auth.rb
Original file line number Diff line number Diff line change
Expand Up @@ -11,7 +11,7 @@ module Auth
# @!attribute [rw] unauthorized_redirect
# @!scope class
# Extension point for overriding behaviour of access denied errors.
# Default behaviour is to redirect to "/unauthorized" with a flash
# Default behaviour is to redirect back or to "/unauthorized" with a flash
# message.
# @return [Proc] action to take when access denied error is raised.

Expand All @@ -22,7 +22,7 @@ module Auth
class_attribute :unauthorized_redirect
self.unauthorized_redirect = -> do
flash[:error] = I18n.t('spree.authorization_failure')
redirect_to "/unauthorized"
redirect_back(fallback_location: "/unauthorized")
end

rescue_from CanCan::AccessDenied do
Expand Down
19 changes: 19 additions & 0 deletions core/spec/lib/spree/core/controller_helpers/auth_spec.rb
Original file line number Diff line number Diff line change
Expand Up @@ -91,4 +91,23 @@ def controller.index
expect(controller.try_spree_current_user).to eq nil
end
end

describe '#unauthorized_redirect' do
controller(FakesController) do
def index; authorize!(:read, :something); end
end

context "http_referrer is present" do
before { request.env['HTTP_REFERER'] = '/redirect' }
it "redirects back" do
get :index
expect(response).to redirect_to('/redirect')
end
end

it "redirects to unauthorized" do
get :index
expect(response).to redirect_to('/unauthorized')
end
end
end

0 comments on commit 4a3ac73

Please sign in to comment.