[openstreetmap/openstreetmap-website] Return 401 Unauthorized when user is not logged in (#2062)

[Andy Allan]

This PR changes the `require_user` and `deny_access` methods to return 401 Unauthorized to web requests when the user hasn't yet logged in, and updates the affected tests. This brings us better in line with the HTTP specs.

I came across this while doing some more work on CanCanCan refactoring. The `authorize` method, used by all the API actions, has always returned 401 in this situation, so this PR makes the behaviour the same for non-API actions and simplifies some other work-in-progress that I have.
You can view, comment on, or merge this pull request online at:

  https://github.com/openstreetmap/openstreetmap-website/pull/2062

-- Commit Summary --

  * Return 401 Unauthorized instead of 403 Forbidden via CanCanCan when user isn't logged in yet
  * Return 401 Unauthorized instead of 403 Forbidden for web requests when user isn't logged in yet

-- File Changes --

    M app/controllers/application_controller.rb (6)
    M app/controllers/traces_controller.rb (8)
    M test/controllers/diary_entries_controller_test.rb (10)
    M test/controllers/messages_controller_test.rb (4)
    M test/controllers/oauth_clients_controller_test.rb (6)
    M test/controllers/traces_controller_test.rb (6)
    M test/controllers/user_blocks_controller_test.rb (4)
    M test/controllers/user_roles_controller_test.rb (4)
    M test/controllers/users_controller_test.rb (4)

-- Patch Links --

https://github.com/openstreetmap/openstreetmap-website/pull/2062.patch
https://github.com/openstreetmap/openstreetmap-website/pull/2062.diff

-- 
You are receiving this because you are subscribed to this thread.
Reply to this email directly or view it on GitHub:
https://github.com/openstreetmap/openstreetmap-website/pull/2062
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstreetmap.org/pipermail/rails-dev/attachments/20181114/c373dbba/attachment-0001.html>