Try to redirect back on unauthorized accesses

Only when the `redirect_back_on_unauthorized` preference
exists and is set to true.

This preference has been introduced in core with solidusio/solidus#3118
and we can rely on that preference to drive the behavior change here
as well.

The extra

	if Spree::Config.respond_to?(:redirect_back_on_unauthorized)

check might seem useless but it's needed to avoid printing this
deprecation warning on Solidus versions that still do not have
the preference.

If the Solidus verion used does not have the preference yet, the old
behavior will be preserved.

Author: kennyadsl

lib/spree/auth/engine.rb

@@ -26,26 +26,65 @@ class Engine < Rails::Engine
         ApplicationController.include Spree::AuthenticationHelpers
       end
 
+      def self.redirect_back_on_unauthorized?
+        return false unless Spree::Config.respond_to?(:redirect_back_on_unauthorized)
+
+        if Spree::Config.redirect_back_on_unauthorized
+          true
+        else
+          Spree::Deprecation.warn <<-WARN.strip_heredoc, caller
+            Having Spree::Config.redirect_back_on_unauthorized set
+            to `false` is deprecated and will not be supported in Solidus 3.0.
+            Please change this configuration to `true` and be sure that your
+            application does not break trying to redirect back when there is
+            an unauthorized access.
+          WARN
+
+          false
+        end
+      end
+
       def self.prepare_backend
         Spree::Admin::BaseController.unauthorized_redirect = -> do
           if try_spree_current_user
             flash[:error] = I18n.t('spree.authorization_failure')
-            redirect_to spree.admin_unauthorized_path
+
+            if Spree::Auth::Engine.redirect_back_on_unauthorized?
+              redirect_back(fallback_location: spree.admin_unauthorized_path)
+            else
+              redirect_to spree.admin_unauthorized_path
+            end
           else
             store_location
-            redirect_to spree.admin_login_path
+
+            if Spree::Auth::Engine.redirect_back_on_unauthorized?
+              redirect_back(fallback_location: spree.admin_login_path)
+            else
+              redirect_to spree.admin_login_path
+            end
           end
         end
       end
 
+
       def self.prepare_frontend
         Spree::BaseController.unauthorized_redirect = -> do
           if try_spree_current_user
             flash[:error] = I18n.t('spree.authorization_failure')
-            redirect_to spree.unauthorized_path
+
+            if Spree::Auth::Engine.redirect_back_on_unauthorized?
+              redirect_back(fallback_location: spree.unauthorized_path)
+            else
+              redirect_to spree.unauthorized_path
+            end
           else
             store_location
-            redirect_to spree.login_path
+
+            if Spree::Auth::Engine.redirect_back_on_unauthorized?
+              redirect_back(fallback_location: spree.login_path)
+            else
+              redirect_to spree.login_path
+            end
           end
         end
       end

spec/controllers/spree/admin/base_controller_spec.rb

@@ -8,19 +8,45 @@
       def index; authorize!(:read, :something); end
     end
 
+    before do
+      stub_spree_preferences(Spree::Config, redirect_back_on_unauthorized: true)
+    end
+
     context "when user is logged in" do
       before { sign_in(create(:user)) }
 
-      it "redirects to unauthorized path" do
-        get :index
-        expect(response).to redirect_to(spree.admin_unauthorized_path)
+      context "when http_referrer is not present" do
+        it "redirects to unauthorized path" do
+          get :index
+          expect(response).to redirect_to(spree.admin_unauthorized_path)
+        end
+      end
+
+      context "when http_referrer is present" do
+        before { request.env['HTTP_REFERER'] = '/redirect' }
+
+        it "redirects back" do
+          get :index
+          expect(response).to redirect_to('/redirect')
+        end
       end
     end
 
     context "when user is not logged in" do
-      it "redirects to login path" do
-        get :index
-        expect(response).to redirect_to(spree.admin_login_path)
+      context "when http_referrer is not present" do
+        it "redirects to login path" do
+          get :index
+          expect(response).to redirect_to(spree.admin_login_path)
+        end
+      end
+
+      context "when http_referrer is present" do
+        before { request.env['HTTP_REFERER'] = '/redirect' }
+
+        it "redirects back" do
+          get :index
+          expect(response).to redirect_to('/redirect')
+        end
       end
     end
   end

spec/controllers/spree/base_controller_spec.rb

@@ -8,19 +8,45 @@
       def index; authorize!(:read, :something); end
     end
 
+    before do
+      stub_spree_preferences(Spree::Config, redirect_back_on_unauthorized: true)
+    end
+
     context "when user is logged in" do
       before { sign_in(create(:user)) }
 
-      it "redirects to unauthorized path" do
-        get :index
-        expect(response).to redirect_to(spree.unauthorized_path)
+      context "when http_referrer is not present" do
+        it "redirects to unauthorized path" do
+          get :index
+          expect(response).to redirect_to(spree.unauthorized_path)
+        end
+      end
+
+      context "when http_referrer is present" do
+        before { request.env['HTTP_REFERER'] = '/redirect' }
+
+        it "redirects back" do
+          get :index
+          expect(response).to redirect_to('/redirect')
+        end
       end
     end
 
     context "when user is not logged in" do
-      it "redirects to login path" do
-        get :index
-        expect(response).to redirect_to(spree.login_path)
+      context "when http_referrer is not present" do
+        it "redirects to login path" do
+          get :index
+          expect(response).to redirect_to(spree.login_path)
+        end
+      end
+
+      context "when http_referrer is present" do
+        before { request.env['HTTP_REFERER'] = '/redirect' }
+
+        it "redirects back" do
+          get :index
+          expect(response).to redirect_to('/redirect')
+        end
       end
     end
   end