From 8b233b94b38853d63d2d78a23f3cafe89f94cf12 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Mateusz=20Por=C4=99bski?= Date: Tue, 9 Jan 2024 09:32:23 +0100 Subject: [PATCH 1/4] update ErrorsController to authorize access to Spree::AdminPanel --- app/controllers/spree/admin/errors_controller.rb | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/app/controllers/spree/admin/errors_controller.rb b/app/controllers/spree/admin/errors_controller.rb index 1182704050..e2ceeb258e 100644 --- a/app/controllers/spree/admin/errors_controller.rb +++ b/app/controllers/spree/admin/errors_controller.rb @@ -1,11 +1,17 @@ module Spree module Admin class ErrorsController < BaseController + skip_before_action :authorize_admin def forbidden + authorize! :read, ::Spree::AdminPanel render status: 403 end + + rescue_from CanCan::AccessDenied do |_exception| + throw _exception + end end end end From a1f7eaa78079ca8e6dd19adfe1e90a655f18cc82 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Mateusz=20Por=C4=99bski?= Date: Wed, 10 Jan 2024 11:14:18 +0100 Subject: [PATCH 2/4] move admin panel :read access check functionality to base controller --- app/controllers/spree/admin/base_controller.rb | 9 +++++++++ app/controllers/spree/admin/errors_controller.rb | 5 ----- 2 files changed, 9 insertions(+), 5 deletions(-) diff --git a/app/controllers/spree/admin/base_controller.rb b/app/controllers/spree/admin/base_controller.rb index 375512f3ba..cd11ea3939 100644 --- a/app/controllers/spree/admin/base_controller.rb +++ b/app/controllers/spree/admin/base_controller.rb @@ -16,6 +16,7 @@ class BaseController < ApplicationController helper 'spree/currency' layout 'spree/layouts/admin' + before_action :ensure_can_read_admin_panel before_action :authorize_admin before_action :load_stores @@ -37,6 +38,14 @@ def authorize_admin authorize! action, record end + def ensure_can_read_admin_panel + begin + authorize! :read, Spree::Admin + rescue CanCan::AccessDenied + redirect_to main_app.respond_to?(:root_path) ? main_app.root_path : '/' + end + end + def redirect_unauthorized_access if try_spree_current_user flash[:error] = Spree.t(:authorization_failure) diff --git a/app/controllers/spree/admin/errors_controller.rb b/app/controllers/spree/admin/errors_controller.rb index e2ceeb258e..3d29084501 100644 --- a/app/controllers/spree/admin/errors_controller.rb +++ b/app/controllers/spree/admin/errors_controller.rb @@ -5,13 +5,8 @@ class ErrorsController < BaseController skip_before_action :authorize_admin def forbidden - authorize! :read, ::Spree::AdminPanel render status: 403 end - - rescue_from CanCan::AccessDenied do |_exception| - throw _exception - end end end end From 5994fd3f44f288f3324daad53e1ac5d985ce7c98 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Mateusz=20Por=C4=99bski?= Date: Wed, 10 Jan 2024 11:16:31 +0100 Subject: [PATCH 3/4] deleted extra empty line --- app/controllers/spree/admin/errors_controller.rb | 1 - 1 file changed, 1 deletion(-) diff --git a/app/controllers/spree/admin/errors_controller.rb b/app/controllers/spree/admin/errors_controller.rb index 3d29084501..1182704050 100644 --- a/app/controllers/spree/admin/errors_controller.rb +++ b/app/controllers/spree/admin/errors_controller.rb @@ -1,7 +1,6 @@ module Spree module Admin class ErrorsController < BaseController - skip_before_action :authorize_admin def forbidden From 6f99c1ef3a2903d4ed4e949d246b7b38f9ffc0ad Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Mateusz=20Por=C4=99bski?= Date: Wed, 10 Jan 2024 18:06:24 +0100 Subject: [PATCH 4/4] added access_denied view, handle access denied logic --- app/controllers/spree/admin/base_controller.rb | 5 ++++- app/controllers/spree/admin/errors_controller.rb | 7 ++++++- app/views/spree/admin/errors/access_denied.html.erb | 1 + config/routes.rb | 1 + 4 files changed, 12 insertions(+), 2 deletions(-) create mode 100644 app/views/spree/admin/errors/access_denied.html.erb diff --git a/app/controllers/spree/admin/base_controller.rb b/app/controllers/spree/admin/base_controller.rb index cd11ea3939..7f3ad141f3 100644 --- a/app/controllers/spree/admin/base_controller.rb +++ b/app/controllers/spree/admin/base_controller.rb @@ -42,7 +42,10 @@ def ensure_can_read_admin_panel begin authorize! :read, Spree::Admin rescue CanCan::AccessDenied - redirect_to main_app.respond_to?(:root_path) ? main_app.root_path : '/' + redirect_to spree.admin_access_denied_path + false + else + true end end diff --git a/app/controllers/spree/admin/errors_controller.rb b/app/controllers/spree/admin/errors_controller.rb index 1182704050..d3bd6a396b 100644 --- a/app/controllers/spree/admin/errors_controller.rb +++ b/app/controllers/spree/admin/errors_controller.rb @@ -2,9 +2,14 @@ module Spree module Admin class ErrorsController < BaseController skip_before_action :authorize_admin + skip_before_action :ensure_can_read_admin_panel def forbidden - render status: 403 + render status: 403 if ensure_can_read_admin_panel + end + + def access_denied + render status: 403, layout: nil end end end diff --git a/app/views/spree/admin/errors/access_denied.html.erb b/app/views/spree/admin/errors/access_denied.html.erb new file mode 100644 index 0000000000..8b13789179 --- /dev/null +++ b/app/views/spree/admin/errors/access_denied.html.erb @@ -0,0 +1 @@ + diff --git a/config/routes.rb b/config/routes.rb index e1facaf504..db32e2d7ac 100644 --- a/config/routes.rb +++ b/config/routes.rb @@ -220,6 +220,7 @@ resources :webhooks_subscribers get '/forbidden', to: 'errors#forbidden', as: :forbidden + get '/access-denied', to: 'errors#access_denied', as: :access_denied resource :dashboard, controller: 'dashboard' root to: 'dashboard#show'