Add a separate permission to access the admin panel#303
Conversation
| skip_before_action :authorize_admin | ||
|
|
||
| def forbidden | ||
| authorize! :read, ::Spree::AdminPanel |
There was a problem hiding this comment.
I don't think we should define Spree::AdminPanel in spree_core, and then use it only in spree_backend. Maybe a cleaner version would be checking whether there's a :read permission on Spree::Admin (which is already a module defined in spree_backend)?
https://github.com/CanCanCommunity/cancancan/blob/develop/docs/define_check_abilities.md#can-subjects
There was a problem hiding this comment.
Also, maybe this authorize could be moved to the Admin::BaseController, and we could handle the redirection to 404 page manually there?
| render status: 403 | ||
| end | ||
|
|
||
| rescue_from CanCan::AccessDenied do |_exception| |
There was a problem hiding this comment.
What do we need this one for? I think this will also change the behavior of other controllers, right?
There was a problem hiding this comment.
In Spree::Core::ControllerHelper::Auth there is access handling (which I guess fires when we are denied access to a reserce):
rescue_from CanCan::AccessDenied do |_exception|
redirect_unauthorized_access
endwhich created theoretically infinite loop of redirecting to /admin/forbidden, being denied access, redirecting to /admin/forbidden... Which resulted in error:
I decided that plain 404 error page is more clear, so I overwritten said rescue_from CanCan::AccessDenied
2 participants
This PR works with: spree/spree#11993