From f273b8e786fe52c008497e4ae074d0f39bcb1e7c Mon Sep 17 00:00:00 2001
From: Simon Tokumine <si@tinypla.net>
Date: Wed, 21 Mar 2012 14:53:05 +0000
Subject: [PATCH] added 403 pages for private tables access via public url.
 closes #624

---
 Gemfile.lock                               |  4 ++--
 app/controllers/admin/tables_controller.rb |  2 +-
 app/controllers/application_controller.rb  |  7 +++++++
 public/403.html                            | 18 ++++++++++++++++++
 4 files changed, 28 insertions(+), 3 deletions(-)
 create mode 100644 public/403.html

diff --git a/Gemfile.lock b/Gemfile.lock
index ad4c43b63..48aa9820d 100644
--- a/Gemfile.lock
+++ b/Gemfile.lock
@@ -162,7 +162,7 @@ GEM
       columnize (>= 0.3.1)
       linecache19 (>= 0.5.11)
       ruby_core_source (>= 0.1.4)
-    ruby-debug-base19x (0.11.30.pre9)
+    ruby-debug-base19x (0.11.30.pre10)
       columnize (>= 0.3.1)
       linecache19 (>= 0.5.11)
       rake (>= 0.8.1)
@@ -187,7 +187,7 @@ GEM
       sequel (>= 3.29.0)
     sinatra (1.2.8)
       rack (~> 1.1)
-      tilt (< 2.0, >= 1.2.2)
+      tilt (>= 1.2.2, < 2.0)
     spreadsheet (0.6.5.9)
       ruby-ole (>= 1.0)
     state_machine (1.1.2)
diff --git a/app/controllers/admin/tables_controller.rb b/app/controllers/admin/tables_controller.rb
index e4d6c76d8..531c2c2bf 100644
--- a/app/controllers/admin/tables_controller.rb
+++ b/app/controllers/admin/tables_controller.rb
@@ -79,7 +79,7 @@ def show_public
     @table = Table.find_by_subdomain(@subdomain, params[:id])    
 
     if @table.blank? || (!current_user && @table.private?) || ((current_user && current_user.id != @table.owner.id) && @table.private?)     
-      head :forbidden
+      render_403
     else
       respond_to do |format|
         format.html {render 'show_public', :layout => 'application_public' }
diff --git a/app/controllers/application_controller.rb b/app/controllers/application_controller.rb
index baca4d568..36b421a25 100644
--- a/app/controllers/application_controller.rb
+++ b/app/controllers/application_controller.rb
@@ -34,6 +34,13 @@ def allow_cross_domain_access
     end
   end
 
+  def render_403
+    respond_to do |format|
+      format.html { render :file => "public/403.html", :status => 403, :layout => false }
+      format.all  { head :forbidden }      
+    end
+  end
+
   def render_404
     respond_to do |format|
       format.html do
diff --git a/public/403.html b/public/403.html
new file mode 100644
index 000000000..c6485180f
--- /dev/null
+++ b/public/403.html
@@ -0,0 +1,18 @@
+<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict //EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
+<html>
+  <head>
+    <title>CartoDB - 403 Error</title>
+    <link href="/stylesheets/reset.css" media="screen" rel="stylesheet" type="text/css" />
+    <link href="/stylesheets/front/error.css" media="screen" rel="stylesheet" type="text/css" />
+    <link rel="shortcut icon" href="/favicon/favicon_32x32.ico" />
+  </head>
+  <body>
+    <div class="glow">
+      <div class="section">
+        <h1><strong>Sorry!</strong> You are not able to access this page</h1>
+        <div class="no_table"></div>
+      </div>
+      <div class="footer"><a href="http://www.cartodb.com" target="_blank">CartoDB</a> is a product from <a href="http://www.vizzuality.com" target="_blank">vizzuality</a> | <a href="http://cartodb.com/terms">Terms of service</a></div>
+    </div>
+  </body>
+</html>
\ No newline at end of file