Merge pull request #5399 from nebulab/rainerd/fix/cancancan-action-na…

…me-symbol

[Admin] Ensure `action_name` is passed as symbol for `cancancan` authorization

admin/app/controllers/solidus_admin/controller_helpers/authorization.rb

@@ -5,6 +5,10 @@ module SolidusAdmin::ControllerHelpers::Authorization
 
  included do
  before_action :authorize_solidus_admin_user!
+
+ rescue_from CanCan::AccessDenied do
+ render 'unauthorized', status: :forbidden
+ end
  end
 
  private
@@ -17,7 +21,7 @@ def authorize_solidus_admin_user!
  subject = authorization_subject
 
  authorize! :admin, subject
- authorize! action_name, subject
+ authorize! action_name.to_sym, subject
  end
 
  def authorization_subject

admin/app/views/solidus_admin/base/unauthorized.html.erb

@@ -0,0 +1,4 @@
+<div class="p-4">
+ <h1 class="text-3xl font-semibold text-solidusRed mb-4"><%= t('solidus_admin.errors.authorization.access_denied.title') %></h1>
+ <p class="text-lg text-gray-700"><%= t('solidus_admin.errors.authorization.access_denied.description') %></p>
+</div>

admin/config/locales/errors.en.yml

@@ -0,0 +1,7 @@
+en:
+ solidus_admin:
+ errors:
+ authorization:
+ access_denied:
+ title: "Access Denied"
+ description: "You are not authorized to access this page."

admin/spec/controllers/solidus_admin/base_controller_spec.rb

@@ -15,10 +15,22 @@ def index
  allow_any_instance_of(SolidusAdmin::BaseController).to receive(:spree_current_user).and_return(nil)
  end
 
- it "redirects to unauthorized" do
+ it "redirects to unauthorized for no user" do
  get :index
  expect(response).to redirect_to '/unauthorized'
  end
+
+ context "with a user without update permission" do
+ before do
+ user = create(:user, email: '[email protected]')
+ allow_any_instance_of(SolidusAdmin::BaseController).to receive(:spree_current_user).and_return(user)
+ end
+
+ it "redirects to unauthorized" do
+ get :index
+ expect(response).to have_http_status(:forbidden)
+ end
+ end
  end
 
  context "successful request" do