Rework the default denied access handler to give different responses to tokens, logge...

[rails.git] / app / controllers / application_controller.rb

diff --git a/app/controllers/application_controller.rb b/app/controllers/application_controller.rb
index ad91b3a3b11b3aaad19e4142fd58bd3a5a8a4c5d..690bdf5ca5140dad6448e86af7e6d02732ce7c35 100644 (file)
--- a/app/controllers/application_controller.rb
+++ b/app/controllers/application_controller.rb
@@ -1,6 +1,5 @@
 class ApplicationController < ActionController::Base
   include SessionPersistence
-  # check_authorization
 
   protect_from_forgery :with => :exception
 
@@ -478,11 +477,16 @@ class ApplicationController < ActionController::Base
   end
 
   def deny_access(_exception)
-    if current_user
+    if current_token
       set_locale
       report_error t("oauth.permissions.missing"), :forbidden
+    elsif current_user
+      set_locale
+      report_error t("application.permission_denied"), :forbidden
+    elsif request.get?
+      redirect_to :controller => "users", :action => "login", :referer => request.fullpath
     else
-      require_user
+      head :forbidden
     end
   end