From 917e32b4fcc1b49bc2ae558cc55aeee21cd9edcc Mon Sep 17 00:00:00 2001
From: Georg Gadinger <nilsding@nilsding.org>
Date: Sun, 3 Jul 2022 23:50:17 +0200
Subject: [PATCH] routes.rb: use 'authenticate' block from devise instead of
 defining the constraint ourselves

---
 config/routes.rb                                 | 10 ++++------
 spec/integration/role_constrained_routes_spec.rb |  3 ++-
 2 files changed, 6 insertions(+), 7 deletions(-)

diff --git a/config/routes.rb b/config/routes.rb
index 3b3d35a3..df9245de 100644
--- a/config/routes.rb
+++ b/config/routes.rb
@@ -2,9 +2,8 @@ require 'sidekiq/web'
 Rails.application.routes.draw do
   start = Time.now
 
-  # Sidekiq
-  constraints ->(req) { req.env["warden"].authenticate?(scope: :user) &&
-                        req.env["warden"].user.has_role?(:administrator) } do
+  # Routes only accessible by admins (admin panels, sidekiq, pghero)
+  authenticate :user, ->(user) { user.has_role?(:administrator) } do
     # Admin panel
     mount RailsAdmin::Engine => "/justask_admin", as: "rails_admin"
 
@@ -19,9 +18,8 @@ Rails.application.routes.draw do
     match "/admin/announcements/:id", to: "announcement#destroy", via: :delete, as: :announcement_destroy
   end
 
-  # Moderation panel
-  constraints ->(req) { req.env["warden"].authenticate?(scope: :user) &&
-                        req.env["warden"].user.mod? } do
+  # Routes only accessible by moderators (moderation panel)
+  authenticate :user, ->(user) { user.mod? } do
     match '/moderation/unmask', to: 'moderation#toggle_unmask', via: :post, as: :moderation_toggle_unmask
     match '/moderation/priority(/:user_id)', to: 'moderation#priority', via: :get, as: :moderation_priority
     match '/moderation/ip/:user_id', to: 'moderation#ip', via: :get, as: :moderation_ip
diff --git a/spec/integration/role_constrained_routes_spec.rb b/spec/integration/role_constrained_routes_spec.rb
index 27969ca1..cd613f20 100644
--- a/spec/integration/role_constrained_routes_spec.rb
+++ b/spec/integration/role_constrained_routes_spec.rb
@@ -6,8 +6,9 @@ require "support/pghero_stubby"
 describe "role-constrained routes", type: :request do
   shared_examples_for "fails to access route" do
     it "fails to access route" do
+      # 302 = redirect to login
       # 404 = no user found -- we have a fallback route if something could not be matched
-      expect(subject).to eq 404
+      expect(subject).to be_in [302, 404]
     end
   end