From 8e39985d66d254530ed5d37fc0a391558333bd3d Mon Sep 17 00:00:00 2001 From: evazion Date: Sun, 25 Aug 2019 20:29:32 -0500 Subject: [PATCH] app controller: fix api responses on access denied errors. Bug: A .json/.xml/.js request that resulted in an access denied error returned a html response instead of a .json/.xml/.js response. --- app/controllers/application_controller.rb | 9 +++++---- test/functional/application_controller_test.rb | 8 ++++++++ 2 files changed, 13 insertions(+), 4 deletions(-) diff --git a/app/controllers/application_controller.rb b/app/controllers/application_controller.rb index dd25aaae8..1552c3852 100644 --- a/app/controllers/application_controller.rb +++ b/app/controllers/application_controller.rb @@ -59,7 +59,7 @@ class ApplicationController < ActionController::Base when ActionController::InvalidAuthenticityToken, ActionController::UnpermittedParameters, ActionController::InvalidCrossOriginRequest render_error_page(403, exception) when User::PrivilegeError - render_error_page(403, exception, template: "static/access_denied") + render_error_page(403, exception, template: "static/access_denied", message: "Access denied") when ActiveRecord::RecordNotFound render_error_page(404, exception, message: "That record was not found.") when ActionController::RoutingError @@ -81,19 +81,20 @@ class ApplicationController < ActionController::Base end end - def render_error_page(status, exception, message: exception.message, template: "static/error") + def render_error_page(status, exception, message: exception.message, template: "static/error", format: request.format.symbol) @exception = exception @expected = status < 500 @message = message.encode("utf-8", { invalid: :replace, undef: :replace }) @backtrace = Rails.backtrace_cleaner.clean(@exception.backtrace) + format = :html unless format.in?(%i[html json xml js atom]) # if InvalidAuthenticityToken was raised, CurrentUser isn't set so we have to use the blank layout. layout = CurrentUser.user.present? ? "default" : "blank" DanbooruLogger.log(@exception, expected: @expected) - render template, layout: layout, status: status + render template, layout: layout, status: status, formats: format rescue ActionView::MissingTemplate - render "static/error.html", layout: layout, status: status + render "static/error", layout: layout, status: status, formats: format end def set_current_user diff --git a/test/functional/application_controller_test.rb b/test/functional/application_controller_test.rb index 40c122d5d..0b5e57170 100644 --- a/test/functional/application_controller_test.rb +++ b/test/functional/application_controller_test.rb @@ -158,6 +158,14 @@ class ApplicationControllerTest < ActionDispatch::IntegrationTest assert_response 403 assert_select "h1", /Access Denied/ end + + should "render a json response for json requests" do + get news_updates_path(format: :json) + + assert_response 403 + assert_equal "application/json", response.content_type + assert_equal "Access denied", response.parsed_body["message"] + end end context "when the api limit is exceeded" do