Merge branch 'bvl-missing-message-on-access-denied' into 'master'

Render access denied without message Closes #47844 See merge request gitlab-org/gitlab-ce!19755

Merge branch 'bvl-missing-message-on-access-denied' into 'master'
Render access denied without message Closes #47844 See merge request gitlab-org/gitlab-ce!19755
7b7ba297 · Robert Speicher · 61b0577d · 7fe92d99 · 7b7ba297 · 7b7ba297
Commit 7b7ba297 authored Jun 13, 2018 by Robert Speicher
4 changed files
--- a/app/controllers/application_controller.rb
+++ b/app/controllers/application_controller.rb
@@ -284,8 +284,10 @@ class ApplicationController < ActionController::Base
    return unless current_user
    return if current_user.terms_accepted?
+    message = _("Please accept the Terms of Service before continuing.")
    if sessionless_user?
-      render_403
+      access_denied!(message)
    else
      # Redirect to the destination if the request is a get.
      # Redirect to the source if it was a post, so the user can re-submit after
@@ -296,7 +298,7 @@ class ApplicationController < ActionController::Base
                        URI(request.referer).path if request.referer
                      end
-      flash[:notice] = _("Please accept the Terms of Service before continuing.")
+      flash[:notice] = message
      redirect_to terms_path(redirect: redirect_path), status: :found
    end
  end

--- a/app/views/errors/access_denied.html.haml
+++ b/app/views/errors/access_denied.html.haml
- message = local_assigns.fetch(:message)
+- message = local_assigns.fetch(:message, nil)
 - content_for(:title, 'Access Denied')
 = image_tag('illustrations/error-403.svg', alt: '403', lazy: false)

--- a/spec/controllers/application_controller_spec.rb
+++ b/spec/controllers/application_controller_spec.rb
@@ -458,6 +458,8 @@ describe ApplicationController do
      end
      context 'for sessionless users' do
+        render_views
        before do
          sign_out user
        end
@@ -468,6 +470,14 @@ describe ApplicationController do
          expect(response).to have_gitlab_http_status(403)
        end
+        it 'renders the error message when the format was html' do
+          get :index,
+              private_token: create(:personal_access_token, user: user).token,
+              format: :html
+          expect(response.body).to have_content /accept the terms of service/i
+        end
        it 'renders a 200 when the sessionless user accepted the terms' do
          accept_terms(user)

--- a/spec/views/errors/access_denied.html.haml_spec.rb
+++ b/spec/views/errors/access_denied.html.haml_spec.rb
+require 'spec_helper'
+describe 'errors/access_denied' do
+  it 'does not fail to render when there is no message provided' do
+    expect { render }.not_to raise_error
+  end
+end