replaced ActionController::Forbidden with a user-friendly flash message.

Setting the 403 status code turned out to be a bad user experience in some browsers
such as Chrome on Windows machines.

app/controllers/clearance/passwords_controller.rb

@@ -45,17 +45,25 @@ def update
 
   def forbid_missing_token
     if params[:token].blank?
-      raise ActionController::Forbidden, "missing token"
+      flash_failure_when_forbidden
+      render :template => 'passwords/new'
     end
   end
 
   def forbid_non_existent_user
     unless ::User.find_by_id_and_confirmation_token(
                   params[:user_id], params[:token])
-      raise ActionController::Forbidden, "non-existent user"
+      flash_failure_when_forbidden
+      render :template => 'passwords/new'
     end
   end
 
+  def flash_failure_when_forbidden
+    flash.now[:failure] = translate(:forbidden,
+      :scope   => [:clearance, :controllers, :passwords],
+      :default => "Please double check the URL or try submitting the form again.")
+  end
+
   def flash_notice_after_create
     flash[:notice] = translate(:deliver_change_password,
       :scope   => [:clearance, :controllers, :passwords],
@@ -69,14 +77,14 @@ def flash_failure_after_create
       :default => "Unknown email.")
   end
 
-  def url_after_create
-    sign_in_url
-  end
-
   def flash_success_after_update
     flash[:success] = translate(:signed_in, :default => "Signed in.")
   end
 
+  def url_after_create
+    sign_in_url
+  end
+
   def url_after_update
     '/'
   end

lib/clearance.rb

@@ -1,6 +1,3 @@
-require 'clearance/extensions/errors'
-require 'clearance/extensions/rescue'
-
 require 'clearance/configuration'
 require 'clearance/authentication'
 require 'clearance/user'

lib/clearance/shoulda_macros.rb

@@ -15,11 +15,7 @@ def should_deny_access(opts = {})
     # HTTP FLUENCY
 
     def should_forbid(description, &block)
-      should "forbid #{description}" do
-        assert_raises ActionController::Forbidden do
-          instance_eval(&block)
-        end
-      end
+      warn "[DEPRECATION] should_forbid and Clearance's ActionController::Forbidden have been removed. Setting the 403 status code turned out to be an awful user experience in some browsers such as Chrome on Windows machines."
     end
 
     # RENDERING

lib/rails/generators/clearance_features_templates/features/step_definitions/clearance_steps.rb

@@ -79,10 +79,6 @@
   visit edit_user_password_path(:user_id => user)
 end
 
-Then /^I should be forbidden$/ do
-  assert_response :forbidden
-end
-
 # Actions
 
 When /^I sign in as "(.*)\/(.*)"$/ do |email, password|

test/controllers/passwords_controller_test.rb

@@ -85,14 +85,33 @@ class PasswordsControllerTest < ActionController::TestCase
       should render_template(:edit)
     end
 
+    # here to see deprecation warning
     should_forbid "on GET to #edit with correct id but blank token" do
       get :edit, :user_id => @user.to_param, :token => ""
     end
 
+    context "on GET to #edit with correct id but blank token" do
+      setup do
+        get :edit, :user_id => @user.to_param, :token => ""
+      end
+
+      should set_the_flash.to(/double check the URL/i)
+      should render_template(:new)
+    end
+
     should_forbid "on GET to #edit with correct id but no token" do
       get :edit, :user_id => @user.to_param
     end
 
+    context "on GET to #edit with correct id but no token" do
+      setup do
+        get :edit, :user_id => @user.to_param
+      end
+
+      should set_the_flash.to(/double check the URL/i)
+      should render_template(:new)
+    end
+
     context "on PUT to #update with matching password and password confirmation" do
       setup do
         new_password = "new_password"