fix: redirections on invalid session (expiration & login)

app/controllers/consultations_controller.rb

@@ -2,6 +2,8 @@
 
 class ConsultationsController < ApplicationController
   def index
+    authorize Consultation
+
     @consultations = Consultation.all
   end
 

app/controllers/errors.rb

@@ -27,10 +27,10 @@ def self.included(clazz)
         redirect_to controller: 'consultations', action: 'show', id: current_user.consultation.id
       end
 
-      rescue_from AccessDenied do |_e|
+      rescue_from AccessDenied do |e|
         error(I18n.t('errors.access_denied'))
 
-        if Rails.configuration.x.asembleo.private_instance
+        if e.identifier_type == :user
           redirect_to new_session_path
         else
           redirect_to root_path
@@ -49,7 +49,15 @@ def self.included(clazz)
     end
   end
 
-  class AccessDenied < ActionController::ActionControllerError; end
+  class AccessDenied < ActionController::ActionControllerError
+    attr_reader :identifier_type
+
+    def initialize(msg = I18n.t('errors.access_denied'), identifier_type: Token.name.underscore.to_sym)
+      @identifier_type = identifier_type
+
+      super(msg)
+    end
+  end
 
   class InvalidParameters < ActionController::BadRequest
     def initialize(msg = I18n.t('errors.invalid_parameters'))

app/interactors/authenticate_credentials.rb

@@ -11,18 +11,24 @@ def call
 
     authenticate_token
   rescue ActiveRecord::RecordNotFound
-    fail!(error: Errors::AccessDenied)
+    fail!(error: Errors::AccessDenied.new(identifier_type:))
   end
 
   private
 
   def authenticate_user
     self.identity = User.find_by!(identifier:)
-    fail!(error: Errors::AccessDenied) unless identity.authenticate(password)
+    fail!(error: Errors::AccessDenied.new(identifier_type:)) unless identity.authenticate(password)
   end
 
   def authenticate_token
     self.identity = Token.from_value(identifier)
-    fail!(error: Errors::AccessDenied) if identity.disabled?
+    fail!(error: Errors::AccessDenied.new(identifier_type:)) if identity.disabled?
+  end
+
+  def identifier_type
+    return User.name.underscore.to_sym if password.present?
+
+    Token.name.underscore.to_sym
   end
 end

app/policies/consultation_policy.rb

@@ -16,6 +16,8 @@ def destroy?
   end
 
   def show?
+    return false if current_user.blank?
+
     record.id == current_user.consultation_id
   end
 

app/policies/event_policy.rb

@@ -30,6 +30,8 @@ def destroy?
   end
 
   def show?
+    return false if current_user.blank?
+
     record.consultation_id == current_user.consultation_id
   end
 

app/policies/option_policy.rb

@@ -14,6 +14,8 @@ def destroy?
   end
 
   def show?
+    return false if current_user.blank?
+
     record.question.consultation_id == current_user.consultation_id
   end
 

app/policies/question_policy.rb

@@ -30,6 +30,8 @@ def close?
   end
 
   def show?
+    return false if current_user.blank?
+
     record.consultation_id == current_user.consultation_id
   end
 

test/controllers/consultations_controller_test.rb

@@ -41,6 +41,12 @@ class ConsultationsControllerTest < ActionDispatch::IntegrationTest
     assert_equal params[:consultation][:description], consultation.description
   end
 
+  test 'should redirect on list consultations if not identified' do
+    get consultations_url
+
+    assert_response :redirect
+  end
+
   test 'should edit consultation' do
     login
 

test/controllers/sessions_controller_test.rb

@@ -36,6 +36,7 @@ class SessionsControllerTest < ActionDispatch::IntegrationTest
     subject
 
     assert_response :redirect
+    assert_redirected_to root_path
   end
 
   test 'should autologin' do
@@ -55,4 +56,13 @@ class SessionsControllerTest < ActionDispatch::IntegrationTest
     assert_equal principal.id, session[:identity_id]
     assert_equal principal.class.name, session[:identity_type]
   end
+
+  test 'should fail on not found instance user' do
+    @params = { session: { identifier: 'rick@c137.io', password: 'wubbalubba' } }
+
+    subject
+
+    assert_response :redirect
+    assert_redirected_to new_session_path
+  end
 end