Permalink
Browse files

replaced ActionController::Forbidden with a user-friendly flash message.

Setting the 403 status code turned out to be a bad user experience in some browsers
such as Chrome on Windows machines.
  • Loading branch information...
1 parent 9903447 commit b004f199acb1e11672e78de8a8775b2979c4f958 @croaky croaky committed Jan 16, 2011
@@ -45,17 +45,25 @@ def update
def forbid_missing_token
if params[:token].blank?
- raise ActionController::Forbidden, "missing token"
+ flash_failure_when_forbidden
+ render :template => 'passwords/new'
end
end
def forbid_non_existent_user
unless ::User.find_by_id_and_confirmation_token(
params[:user_id], params[:token])
- raise ActionController::Forbidden, "non-existent user"
+ flash_failure_when_forbidden
+ render :template => 'passwords/new'
end
end
+ def flash_failure_when_forbidden
+ flash.now[:failure] = translate(:forbidden,
+ :scope => [:clearance, :controllers, :passwords],
+ :default => "Please double check the URL or try submitting the form again.")
+ end
+
def flash_notice_after_create
flash[:notice] = translate(:deliver_change_password,
:scope => [:clearance, :controllers, :passwords],
@@ -69,14 +77,14 @@ def flash_failure_after_create
:default => "Unknown email.")
end
- def url_after_create
- sign_in_url
- end
-
def flash_success_after_update
flash[:success] = translate(:signed_in, :default => "Signed in.")
end
+ def url_after_create
+ sign_in_url
+ end
+
def url_after_update
'/'
end
View
@@ -1,6 +1,3 @@
-require 'clearance/extensions/errors'
-require 'clearance/extensions/rescue'
-
require 'clearance/configuration'
require 'clearance/authentication'
require 'clearance/user'
@@ -1,6 +0,0 @@
-if defined?(ActionController)
- module ActionController
- class Forbidden < StandardError
- end
- end
-end
@@ -1,5 +0,0 @@
-if defined?(ActionDispatch::ShowExceptions) # Rails 3
- ActionDispatch::ShowExceptions.rescue_responses.update('ActionController::Forbidden' => :forbidden)
-elsif defined?(ActionController::Base)
- ActionController::Base.rescue_responses.update('ActionController::Forbidden' => :forbidden)
-end
@@ -15,11 +15,7 @@ def should_deny_access(opts = {})
# HTTP FLUENCY
def should_forbid(description, &block)
- should "forbid #{description}" do
- assert_raises ActionController::Forbidden do
- instance_eval(&block)
- end
- end
+ warn "[DEPRECATION] should_forbid and Clearance's ActionController::Forbidden have been removed. Setting the 403 status code turned out to be an awful user experience in some browsers such as Chrome on Windows machines."
end
# RENDERING
@@ -79,10 +79,6 @@
visit edit_user_password_path(:user_id => user)
end
-Then /^I should be forbidden$/ do
- assert_response :forbidden
-end
-
# Actions
When /^I sign in as "(.*)\/(.*)"$/ do |email, password|
@@ -85,14 +85,33 @@ class PasswordsControllerTest < ActionController::TestCase
should render_template(:edit)
end
+ # here to see deprecation warning
should_forbid "on GET to #edit with correct id but blank token" do
get :edit, :user_id => @user.to_param, :token => ""
end
+ context "on GET to #edit with correct id but blank token" do
+ setup do
+ get :edit, :user_id => @user.to_param, :token => ""
+ end
+
+ should set_the_flash.to(/double check the URL/i)
+ should render_template(:new)
+ end
+
should_forbid "on GET to #edit with correct id but no token" do
get :edit, :user_id => @user.to_param
end
+ context "on GET to #edit with correct id but no token" do
+ setup do
+ get :edit, :user_id => @user.to_param
+ end
+
+ should set_the_flash.to(/double check the URL/i)
+ should render_template(:new)
+ end
+
context "on PUT to #update with matching password and password confirmation" do
setup do
new_password = "new_password"

0 comments on commit b004f19

Please sign in to comment.