diff --git a/lib/spree/auth/engine.rb b/lib/spree/auth/engine.rb index 2a65eb55..2253943a 100644 --- a/lib/spree/auth/engine.rb +++ b/lib/spree/auth/engine.rb @@ -26,26 +26,65 @@ class Engine < Rails::Engine ApplicationController.include Spree::AuthenticationHelpers end + def self.redirect_back_on_unauthorized? + return false unless Spree::Config.respond_to?(:redirect_back_on_unauthorized) + + if Spree::Config.redirect_back_on_unauthorized + true + else + Spree::Deprecation.warn <<-WARN.strip_heredoc, caller + Having Spree::Config.redirect_back_on_unauthorized set + to `false` is deprecated and will not be supported in Solidus 3.0. + Please change this configuration to `true` and be sure that your + application does not break trying to redirect back when there is + an unauthorized access. + WARN + + false + end + end + def self.prepare_backend Spree::Admin::BaseController.unauthorized_redirect = -> do if try_spree_current_user flash[:error] = I18n.t('spree.authorization_failure') - redirect_to spree.admin_unauthorized_path + + if Spree::Auth::Engine.redirect_back_on_unauthorized? + redirect_back(fallback_location: spree.admin_unauthorized_path) + else + redirect_to spree.admin_unauthorized_path + end else store_location - redirect_to spree.admin_login_path + + if Spree::Auth::Engine.redirect_back_on_unauthorized? + redirect_back(fallback_location: spree.admin_login_path) + else + redirect_to spree.admin_login_path + end end end end + def self.prepare_frontend Spree::BaseController.unauthorized_redirect = -> do if try_spree_current_user flash[:error] = I18n.t('spree.authorization_failure') - redirect_to spree.unauthorized_path + + if Spree::Auth::Engine.redirect_back_on_unauthorized? + redirect_back(fallback_location: spree.unauthorized_path) + else + redirect_to spree.unauthorized_path + end else store_location - redirect_to spree.login_path + + if Spree::Auth::Engine.redirect_back_on_unauthorized? + redirect_back(fallback_location: spree.login_path) + else + redirect_to spree.login_path + end end end end diff --git a/spec/controllers/spree/admin/base_controller_spec.rb b/spec/controllers/spree/admin/base_controller_spec.rb new file mode 100644 index 00000000..5b81942a --- /dev/null +++ b/spec/controllers/spree/admin/base_controller_spec.rb @@ -0,0 +1,53 @@ +# frozen_string_literal: true + +require 'spec_helper' + +RSpec.describe Spree::Admin::BaseController, type: :controller do + describe '#unauthorized_redirect' do + controller(described_class) do + def index; authorize!(:read, :something); end + end + + before do + stub_spree_preferences(Spree::Config, redirect_back_on_unauthorized: true) + end + + context "when user is logged in" do + before { sign_in(create(:user)) } + + context "when http_referrer is not present" do + it "redirects to unauthorized path" do + get :index + expect(response).to redirect_to(spree.admin_unauthorized_path) + end + end + + context "when http_referrer is present" do + before { request.env['HTTP_REFERER'] = '/redirect' } + + it "redirects back" do + get :index + expect(response).to redirect_to('/redirect') + end + end + end + + context "when user is not logged in" do + context "when http_referrer is not present" do + it "redirects to login path" do + get :index + expect(response).to redirect_to(spree.admin_login_path) + end + end + + context "when http_referrer is present" do + before { request.env['HTTP_REFERER'] = '/redirect' } + + it "redirects back" do + get :index + expect(response).to redirect_to('/redirect') + end + end + end + end +end diff --git a/spec/controllers/spree/base_controller_spec.rb b/spec/controllers/spree/base_controller_spec.rb new file mode 100644 index 00000000..9dc565cd --- /dev/null +++ b/spec/controllers/spree/base_controller_spec.rb @@ -0,0 +1,53 @@ +# frozen_string_literal: true + +require 'spec_helper' + +RSpec.describe Spree::BaseController, type: :controller do + describe '#unauthorized_redirect' do + controller(described_class) do + def index; authorize!(:read, :something); end + end + + before do + stub_spree_preferences(Spree::Config, redirect_back_on_unauthorized: true) + end + + context "when user is logged in" do + before { sign_in(create(:user)) } + + context "when http_referrer is not present" do + it "redirects to unauthorized path" do + get :index + expect(response).to redirect_to(spree.unauthorized_path) + end + end + + context "when http_referrer is present" do + before { request.env['HTTP_REFERER'] = '/redirect' } + + it "redirects back" do + get :index + expect(response).to redirect_to('/redirect') + end + end + end + + context "when user is not logged in" do + context "when http_referrer is not present" do + it "redirects to login path" do + get :index + expect(response).to redirect_to(spree.login_path) + end + end + + context "when http_referrer is present" do + before { request.env['HTTP_REFERER'] = '/redirect' } + + it "redirects back" do + get :index + expect(response).to redirect_to('/redirect') + end + end + end + end +end