From ccdec3ed4c0f7c472f6db7e5eff2dfc1579f3dd1 Mon Sep 17 00:00:00 2001 From: Tom Hughes Date: Thu, 8 Nov 2018 19:09:56 +0000 Subject: [PATCH] Attempt to send pretty 403 errors to web browsers --- app/controllers/application_controller.rb | 10 ++++++++-- test/controllers/redactions_controller_test.rb | 15 ++++++++++----- test/controllers/user_blocks_controller_test.rb | 15 ++++++++++----- 3 files changed, 28 insertions(+), 12 deletions(-) diff --git a/app/controllers/application_controller.rb b/app/controllers/application_controller.rb index 1df6dd7d1..70305850a 100644 --- a/app/controllers/application_controller.rb +++ b/app/controllers/application_controller.rb @@ -483,9 +483,15 @@ class ApplicationController < ActionController::Base report_error t("oauth.permissions.missing"), :forbidden elsif current_user set_locale - report_error t("application.permission_denied"), :forbidden + respond_to do |format| + format.html { redirect_to :controller => "errors", :action => "forbidden" } + format.any { report_error t("application.permission_denied"), :forbidden } + end elsif request.get? - redirect_to :controller => "users", :action => "login", :referer => request.fullpath + respond_to do |format| + format.html { redirect_to :controller => "users", :action => "login", :referer => request.fullpath } + format.any { head :forbidden } + end else head :forbidden end diff --git a/test/controllers/redactions_controller_test.rb b/test/controllers/redactions_controller_test.rb index fa56814b2..1c2ee65b3 100644 --- a/test/controllers/redactions_controller_test.rb +++ b/test/controllers/redactions_controller_test.rb @@ -63,7 +63,8 @@ class RedactionsControllerTest < ActionController::TestCase session[:user] = create(:user).id get :new - assert_response :forbidden + assert_response :redirect + assert_redirected_to :controller => "errors", :action => "forbidden" end def test_create_moderator @@ -86,7 +87,8 @@ class RedactionsControllerTest < ActionController::TestCase session[:user] = create(:user).id post :create, :params => { :redaction => { :title => "Foo", :description => "Description here." } } - assert_response :forbidden + assert_response :redirect + assert_redirected_to :controller => "errors", :action => "forbidden" end def test_destroy_moderator_empty @@ -117,7 +119,8 @@ class RedactionsControllerTest < ActionController::TestCase session[:user] = create(:user).id delete :destroy, :params => { :id => create(:redaction).id } - assert_response :forbidden + assert_response :redirect + assert_redirected_to :controller => "errors", :action => "forbidden" end def test_edit @@ -139,7 +142,8 @@ class RedactionsControllerTest < ActionController::TestCase session[:user] = create(:user).id get :edit, :params => { :id => create(:redaction).id } - assert_response :forbidden + assert_response :redirect + assert_redirected_to :controller => "errors", :action => "forbidden" end def test_update_moderator @@ -168,6 +172,7 @@ class RedactionsControllerTest < ActionController::TestCase redaction = create(:redaction) put :update, :params => { :id => redaction.id, :redaction => { :title => "Foo", :description => "Description here." } } - assert_response :forbidden + assert_response :redirect + assert_redirected_to :controller => "errors", :action => "forbidden" end end diff --git a/test/controllers/user_blocks_controller_test.rb b/test/controllers/user_blocks_controller_test.rb index 4371e3f82..326f2335a 100644 --- a/test/controllers/user_blocks_controller_test.rb +++ b/test/controllers/user_blocks_controller_test.rb @@ -145,7 +145,8 @@ class UserBlocksControllerTest < ActionController::TestCase # Check that normal users can't load the block creation page get :new, :params => { :display_name => target_user.display_name } - assert_response :forbidden + assert_response :redirect + assert_redirected_to :controller => "errors", :action => "forbidden" # Login as a moderator session[:user] = create(:moderator_user).id @@ -188,7 +189,8 @@ class UserBlocksControllerTest < ActionController::TestCase # Check that normal users can't load the block edit page get :edit, :params => { :id => active_block.id } - assert_response :forbidden + assert_response :redirect + assert_redirected_to :controller => "errors", :action => "forbidden" # Login as a moderator session[:user] = create(:moderator_user).id @@ -230,7 +232,8 @@ class UserBlocksControllerTest < ActionController::TestCase # Check that normal users can't create blocks post :create - assert_response :forbidden + assert_response :redirect + assert_redirected_to :controller => "errors", :action => "forbidden" # Login as a moderator session[:user] = moderator_user.id @@ -292,7 +295,8 @@ class UserBlocksControllerTest < ActionController::TestCase # Check that normal users can't update blocks put :update, :params => { :id => active_block.id } - assert_response :forbidden + assert_response :redirect + assert_redirected_to :controller => "errors", :action => "forbidden" # Login as the wrong moderator session[:user] = second_moderator_user.id @@ -359,7 +363,8 @@ class UserBlocksControllerTest < ActionController::TestCase # Check that normal users can't load the block revoke page get :revoke, :params => { :id => active_block.id } - assert_response :forbidden + assert_response :redirect + assert_redirected_to :controller => "errors", :action => "forbidden" # Login as a moderator session[:user] = create(:moderator_user).id -- 2.43.2