Fix admin API bypassing

src/handlers/auth_handler.cr

@@ -82,7 +82,12 @@ class AuthHandler < Kemal::Handler
       if env.session.string? "token"
         should_reject = !validate_token_admin(env)
       end
-      env.response.status_code = 403 if should_reject
+      if should_reject
+        env.response.status_code = 403
+        message = "HTTP 403: You are not authorized to visit #{env.request.path}"
+        send_error_page
+        return
+      end
     end
 
     call_next env

src/server.cr

@@ -7,10 +7,6 @@ require "./routes/*"
 
 class Server
   def initialize
-    error 403 do |env|
-      message = "HTTP 403: You are not authorized to visit #{env.request.path}"
-      layout "message"
-    end
     error 404 do |env|
       message = "HTTP 404: Mango cannot find the page #{env.request.path}"
       layout "message"

src/util/web.cr

@@ -1,8 +1,6 @@
 # Web related helper functions/macros
 
-macro layout(name)
+macro check_admin_access
-  base_url = Config.current.base_url
-  begin
   is_admin = false
   # The token (if exists) takes precedence over the default user option.
   #   this is why we check the default username first before checking the
@@ -14,6 +12,12 @@ macro layout(name)
   if token = env.session.string? "token"
     is_admin = Storage.default.verify_admin token
   end
+end
+
+macro layout(name)
+  base_url = Config.current.base_url
+  check_admin_access
+  begin
     page = {{name}}
     render "src/views/#{{{name}}}.html.ecr", "src/views/layout.html.ecr"
   rescue e
@@ -24,6 +28,14 @@ macro layout(name)
   end
 end
 
+macro send_error_page
+  base_url = Config.current.base_url
+  check_admin_access
+  page = "Error"
+  html = render "src/views/message.html.ecr", "src/views/layout.html.ecr"
+  send_file env, html.to_slice, "text/html"
+end
+
 macro send_img(env, img)
   send_file {{env}}, {{img}}.data, {{img}}.mime
 end