Render a 401 for the user_permission! helper.

burlingtonruby · Jan 15, 2014 · 63c5b38 · 63c5b38
1 parent 11d03d7
commit 63c5b38
Show file tree

Hide file tree

Showing 4 changed files with 69 additions and 10 deletions.
diff --git a/app/helpers/user_helper.rb b/app/helpers/user_helper.rb
@@ -17,8 +17,7 @@ def require_authentication!
 
   def require_permission!(user)
     unless current_user && current_user == user
-      redirect_to root_path
-      flash[:alert] = "You do not have access to that."
+      render file: 'public/401.html', status: :unauthorized
     end
   end
 end
diff --git a/public/401.html b/public/401.html
@@ -0,0 +1,58 @@
+
+<!DOCTYPE html>
+<html>
+<head>
+  <title>You are not authorized to view that page (401)</title>
+  <style>
+  body {
+    background-color: #EFEFEF;
+    color: #2E2F30;
+    text-align: center;
+    font-family: arial, sans-serif;
+  }
+
+  div.dialog {
+    width: 25em;
+    margin: 4em auto 0 auto;
+    border: 1px solid #CCC;
+    border-right-color: #999;
+    border-left-color: #999;
+    border-bottom-color: #BBB;
+    border-top: #B00100 solid 4px;
+    border-top-left-radius: 9px;
+    border-top-right-radius: 9px;
+    background-color: white;
+    padding: 7px 4em 0 4em;
+  }
+
+  h1 {
+    font-size: 100%;
+    color: #730E15;
+    line-height: 1.5em;
+  }
+
+  body > p {
+    width: 33em;
+    margin: 0 auto 1em;
+    padding: 1em 0;
+    background-color: #F7F7F7;
+    border: 1px solid #CCC;
+    border-right-color: #999;
+    border-bottom-color: #999;
+    border-bottom-left-radius: 4px;
+    border-bottom-right-radius: 4px;
+    border-top-color: #DADADA;
+    color: #666;
+    box-shadow:0 3px 8px rgba(50, 50, 50, 0.17);
+  }
+  </style>
+</head>
+
+<body>
+  <!-- This file lives in public/404.html -->
+  <div class="dialog">
+    <h1>You are not authorized to view that page.</h1>
+  </div>
+  <p>If you are the application owner check the logs for more information.</p>
+</body>
+</html>
diff --git a/test/controllers/proposals_controller_test.rb b/test/controllers/proposals_controller_test.rb
@@ -61,8 +61,7 @@ class ProposalsControllerTest < ActionController::TestCase
   test 'show should redirect to root_path if proposal user is not current_user ' do
     sign_in @pete
     get :show, id: @rails_doesnt_scale
-    assert_redirected_to root_path
-    assert_equal "You do not have access to that.", flash[:alert]
+    assert_response 401
   end
 
   test 'edit should render correct layout' do
@@ -92,7 +91,6 @@ class ProposalsControllerTest < ActionController::TestCase
   test 'should not destroy proposal if current_user is does not have persmission' do
     sign_in @pete
     delete :destroy, id: @rails_doesnt_scale.id
-    assert_redirected_to root_path
-    assert_equal "You do not have access to that.", flash[:alert]
+    assert_response 401
   end
 end
diff --git a/test/controllers/users_controller_test.rb b/test/controllers/users_controller_test.rb
@@ -27,17 +27,21 @@ class UsersControllerTest < ActionController::TestCase
     assert_equal 'Profile successfully updated.', flash[:success]
   end
 
+  test 'user should only be able to view profile they have access to' do
+    sign_in @pete
+    get :show, id: @brett
+    assert_response 401
+  end
+
   test 'user should only be able to edit their own profile' do
     sign_in @pete
     get :edit, id: @brett
-    assert_redirected_to root_path
-    assert_equal "You do not have access to that.", flash[:alert]
+    assert_response 401
   end
 
   test 'user should only be able to update their own profile' do
     sign_in @pete
     patch :update, id: @brett.id, user: { bio: 'Probably not a cat.' }
-    assert_redirected_to root_path
-    assert_equal "You do not have access to that.", flash[:alert]
+    assert_response 401
   end
 end