separate login_required from access denied response

They are very different. Let's handle them in different methods.

1 files changed, 17 insertions, 7 deletions

diff --git a/app/controllers/controller_extension/authentication.rb b/app/controllers/controller_extension/authentication.rb
index 1f73f38..fae5145 100644
--- a/app/controllers/controller_extension/authentication.rb
+++ b/app/controllers/controller_extension/authentication.rb
@@ -16,7 +16,7 @@ module ControllerExtension::Authentication
   end
 
   def require_login
-    access_denied unless logged_in?
+    login_required unless logged_in?
   end
 
   # some actions only make sense if you are not logged in yet.
@@ -29,14 +29,24 @@ module ControllerExtension::Authentication
   def access_denied
     respond_to do |format|
       format.html do
-        if logged_in?
-          redirect_to home_url, :alert => t(:not_authorized)
-        else
-          redirect_to login_url, :alert => t(:not_authorized_login)
-        end
+        redirect_to home_url, :alert => t(:not_authorized)
       end
       format.json do
-        render :json => {'error' => t(:not_authorized)}, status: :unprocessable_entity
+        render :json => {'error' => t(:not_authorized)}, status: :forbidden
+      end
+    end
+  end
+
+  def login_required
+    respond_to do |format|
+      format.html do
+        redirect_to login_url, alert: t(:not_authorized_login)
+      end
+      format.json do
+        # Warden will intercept the 401 response and call
+        # SessionController#unauthenticated instead.
+        render json: {error: t(:not_authorized_login)},
+          status: :unauthorized
       end
     end
   end