Commit 7fe92d99 authored by Bob Van Landuyt's avatar Bob Van Landuyt

Render access denied without message

The `errors/access_denied` page should not fail to render when no
message is provided.

When accessing something as a sessionless user, we should also display
the terms message if possible.
parent 96482886
...@@ -284,8 +284,10 @@ class ApplicationController < ActionController::Base ...@@ -284,8 +284,10 @@ class ApplicationController < ActionController::Base
return unless current_user return unless current_user
return if current_user.terms_accepted? return if current_user.terms_accepted?
message = _("Please accept the Terms of Service before continuing.")
if sessionless_user? if sessionless_user?
render_403 access_denied!(message)
else else
# Redirect to the destination if the request is a get. # Redirect to the destination if the request is a get.
# Redirect to the source if it was a post, so the user can re-submit after # Redirect to the source if it was a post, so the user can re-submit after
...@@ -296,7 +298,7 @@ class ApplicationController < ActionController::Base ...@@ -296,7 +298,7 @@ class ApplicationController < ActionController::Base
URI(request.referer).path if request.referer URI(request.referer).path if request.referer
end end
flash[:notice] = _("Please accept the Terms of Service before continuing.") flash[:notice] = message
redirect_to terms_path(redirect: redirect_path), status: :found redirect_to terms_path(redirect: redirect_path), status: :found
end end
end end
......
- message = local_assigns.fetch(:message) - message = local_assigns.fetch(:message, nil)
- content_for(:title, 'Access Denied') - content_for(:title, 'Access Denied')
= image_tag('illustrations/error-403.svg', alt: '403', lazy: false) = image_tag('illustrations/error-403.svg', alt: '403', lazy: false)
......
...@@ -458,6 +458,8 @@ describe ApplicationController do ...@@ -458,6 +458,8 @@ describe ApplicationController do
end end
context 'for sessionless users' do context 'for sessionless users' do
render_views
before do before do
sign_out user sign_out user
end end
...@@ -468,6 +470,14 @@ describe ApplicationController do ...@@ -468,6 +470,14 @@ describe ApplicationController do
expect(response).to have_gitlab_http_status(403) expect(response).to have_gitlab_http_status(403)
end end
it 'renders the error message when the format was html' do
get :index,
private_token: create(:personal_access_token, user: user).token,
format: :html
expect(response.body).to have_content /accept the terms of service/i
end
it 'renders a 200 when the sessionless user accepted the terms' do it 'renders a 200 when the sessionless user accepted the terms' do
accept_terms(user) accept_terms(user)
......
require 'spec_helper'
describe 'errors/access_denied' do
it 'does not fail to render when there is no message provided' do
expect { render }.not_to raise_error
end
end
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment