[#162105][WIP] Tech Task: Handle mime type errors

app/controllers/application_controller.rb

@@ -118,38 +118,6 @@ def acting_as?
     acting_user.object_id != session_user.object_id
   end
 
-  # Global exception handlers
-  rescue_from ActiveRecord::RecordNotFound do |exception|
-    Rails.logger.debug("#{exception.message}: #{exception.backtrace.join("\n")}") unless Rails.env.production?
-    render_404(exception)
-  end
-
-  rescue_from ActionController::RoutingError do |exception|
-    Rails.logger.debug("#{exception.message}: #{exception.backtrace.join("\n")}") unless Rails.env.production?
-    render_404(exception)
-  end
-
-  def render_404(_exception)
-    # Add html fallback in case the 404 is a PDF or XML so the view can be found
-    render "/404", status: 404, layout: "application", formats: formats_with_html_fallback
-  end
-
-  rescue_from NUCore::PermissionDenied, CanCan::AccessDenied, with: :render_403
-  def render_403(_exception)
-    # if current_user is nil, the user should be redirected to login
-    if current_user
-      render "/403", status: 403, layout: "application", formats: formats_with_html_fallback
-    else
-      store_location_for(:user, request.fullpath)
-      redirect_to new_user_session_path
-    end
-  end
-
-  rescue_from NUCore::NotPermittedWhileActingAs, with: :render_acting_error
-  def render_acting_error
-    render "/acting_error", status: 403, layout: "application", formats: formats_with_html_fallback
-  end
-
   def after_sign_out_path_for(_)
     if current_facility.present?
       facility_path(current_facility)

app/controllers/errors_controller.rb

@@ -0,0 +1,45 @@
+# frozen_string_literal: true
+
+class ErrorsController < ApplicationController
+
+  def not_found
+    respond_to do |format|
+      format.html { render status: :not_found }
+    end
+  rescue ActionController::UnknownFormat
+    head :not_found
+  end
+
+  def internal_server_error
+    respond_to do |format|
+      format.html { render status: :internal_server_error }
+    end
+  rescue ActionController::UnknownFormat
+    head :internal_server_error
+  end
+
+  def forbidden
+    @error_message = if acting_error?
+      "This function is unavailable while you are acting as another user."
+    else
+      "Sorry, you don't have permission to access this page."
+    end
+
+    if current_user || acting_error?
+      respond_to do |format|
+        format.html { render status: :forbidden }
+      end
+    else
+      # if current_user is nil, the user should be redirected to login
+      store_location_for(:user, request.fullpath)
+      redirect_to new_user_session_path
+    end
+  rescue ActionController::UnknownFormat
+    head :forbidden
+  end
+
+  def acting_error?
+    request.env["action_dispatch.exception"].instance_of?(NUCore::NotPermittedWhileActingAs)
+  end
+
+end

app/views/403.html.erb → app/views/errors/forbidden.html.erb

@@ -1,2 +1,2 @@
 <% content_for :h1 do %>403 &ndash; Permission Denied<% end %>
-Sorry, you don't have permission to access this page.
+<p class="notice"><%= @error_message %></p>

app/views/errors/internal_server_error.html.erb

@@ -0,0 +1,3 @@
+<% content_for :h1 do %>500 &ndash; Internal Server Error<% end %>
+We're sorry, but something went wrong.
+We've been notified about this issue and we'll take a look at it shortly.

config/application.rb

@@ -1,6 +1,7 @@
 # frozen_string_literal: true
 
 require_relative "boot"
+require_relative "../lib/custom_exceptions_app_wrapper"
 
 require "rails/all"
 require "will_paginate/array"
@@ -80,6 +81,14 @@ class Application < Rails::Application
     # Prevent invalid (usually malicious) URLs from causing exceptions/issues
     config.middleware.insert 0, Rack::UTF8Sanitizer
 
+    # Use a custom exceptions app to handle mime type exceptions
+    # https://guides.rubyonrails.org/configuring.html#config-exceptions-app
+    config.exceptions_app = CustomExceptionsAppWrapper.new(exceptions_app: routes)
+
+    config.action_dispatch.rescue_responses["NUCore::PermissionDenied"] = :forbidden
+    config.action_dispatch.rescue_responses["CanCan::AccessDenied"] = :forbidden
+    config.action_dispatch.rescue_responses["NUCore::NotPermittedWhileActingAs"] = :forbidden
+
     config.active_storage.variant_processor = :vips
   end
 

config/routes.rb

@@ -429,4 +429,9 @@
 
   # See config/initializers/health_check.rb for more information
   health_check_routes
+
+  # Handle errors
+  match "/403", to: "errors#forbidden", via: :all
+  match "/404", to: "errors#not_found", via: :all
+  match "/500", to: "errors#internal_server_error", via: :all
 end

lib/custom_exceptions_app_wrapper.rb

@@ -0,0 +1,25 @@
+# frozen_string_literal: true
+
+class CustomExceptionsAppWrapper
+
+  def initialize(exceptions_app:)
+    @exceptions_app = exceptions_app
+  end
+
+  def call(env)
+    request = ActionDispatch::Request.new(env)
+
+    fallback_to_html_format_if_invalid_mime_type(request)
+
+    @exceptions_app.call(env)
+  end
+
+  private
+
+  def fallback_to_html_format_if_invalid_mime_type(request)
+    request.formats
+  rescue ActionDispatch::Http::MimeNegotiation::InvalidType
+    request.set_header "CONTENT_TYPE", "text/html"
+  end
+
+end

spec/requests/errors_spec.rb

@@ -0,0 +1,18 @@
+require 'rails_helper'
+
+RSpec.describe "Errors", type: :request do
+  describe "GET /not_found" do
+    it "returns http success" do
+      get "/errors/not_found"
+      expect(response).to have_http_status(:success)
+    end
+  end
+
+  describe "GET /internal_server_error" do
+    it "returns http success" do
+      get "/errors/internal_server_error"
+      expect(response).to have_http_status(:success)
+    end
+  end
+
+end