From 5ba051c8cff36c6ec686c8b00c5ff6824f109e02 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Juan=20Jos=C3=A9=20Mata?= <juanjo.mata@gmail.com>
Date: Fri, 23 Jan 2026 11:39:48 +0100
Subject: [PATCH] fix: Broken `/terms` and `/privacy` routes (#749)

* fix: replace invalid redirect("about:blank") with proper controller actions

The privacy and terms routes were using redirect("about:blank") which is
invalid because about:blank is a browser-specific pseudo URL, not a valid
HTTP redirect target. This fix replaces them with proper controller actions
that render placeholder pages.

Changes:
- Add privacy and terms actions to PagesController with skip_authentication
- Create privacy.html.erb and terms.html.erb view templates
- Add i18n translations for the new pages
- Update routes to use pages#privacy and pages#terms

https://claude.ai/code/session_01RL36dMda1o6LXGsnGnTJZu

* Make legal routes configurable

---------

Co-authored-by: Claude <noreply@anthropic.com>
---
 app/controllers/pages_controller.rb | 10 +++++++++-
 app/views/pages/privacy.html.erb    | 12 ++++++++++++
 app/views/pages/terms.html.erb      | 12 ++++++++++++
 config/locales/views/pages/en.yml   |  8 ++++++++
 config/routes.rb                    |  6 ++++--
 5 files changed, 45 insertions(+), 3 deletions(-)
 create mode 100644 app/views/pages/privacy.html.erb
 create mode 100644 app/views/pages/terms.html.erb

diff --git a/app/controllers/pages_controller.rb b/app/controllers/pages_controller.rb
index b1053b026..4657d8a99 100644
--- a/app/controllers/pages_controller.rb
+++ b/app/controllers/pages_controller.rb
@@ -1,7 +1,7 @@
 class PagesController < ApplicationController
   include Periodable
 
-  skip_authentication only: :redis_configuration_error
+  skip_authentication only: %i[redis_configuration_error privacy terms]
 
   def dashboard
     @balance_sheet = Current.family.balance_sheet
@@ -55,6 +55,14 @@ class PagesController < ApplicationController
     render layout: "blank"
   end
 
+  def privacy
+    render layout: "blank"
+  end
+
+  def terms
+    render layout: "blank"
+  end
+
   private
     def preferences_params
       prefs = params.require(:preferences)
diff --git a/app/views/pages/privacy.html.erb b/app/views/pages/privacy.html.erb
new file mode 100644
index 000000000..303f18766
--- /dev/null
+++ b/app/views/pages/privacy.html.erb
@@ -0,0 +1,12 @@
+<% content_for :title, t(".title") %>
+
+<div class="flex items-center justify-center h-full p-4 sm:p-6 lg:p-8">
+  <div class="w-full max-w-md sm:max-w-lg lg:max-w-2xl">
+    <div class="bg-container border border-primary rounded-xl p-6 sm:p-8 shadow-sm">
+      <div class="text-center">
+        <h1 class="text-xl sm:text-2xl font-bold text-primary mb-4"><%= t(".heading") %></h1>
+        <p class="text-sm sm:text-base text-muted"><%= t(".placeholder") %></p>
+      </div>
+    </div>
+  </div>
+</div>
diff --git a/app/views/pages/terms.html.erb b/app/views/pages/terms.html.erb
new file mode 100644
index 000000000..303f18766
--- /dev/null
+++ b/app/views/pages/terms.html.erb
@@ -0,0 +1,12 @@
+<% content_for :title, t(".title") %>
+
+<div class="flex items-center justify-center h-full p-4 sm:p-6 lg:p-8">
+  <div class="w-full max-w-md sm:max-w-lg lg:max-w-2xl">
+    <div class="bg-container border border-primary rounded-xl p-6 sm:p-8 shadow-sm">
+      <div class="text-center">
+        <h1 class="text-xl sm:text-2xl font-bold text-primary mb-4"><%= t(".heading") %></h1>
+        <p class="text-sm sm:text-base text-muted"><%= t(".placeholder") %></p>
+      </div>
+    </div>
+  </div>
+</div>
diff --git a/config/locales/views/pages/en.yml b/config/locales/views/pages/en.yml
index f19322678..bded845ee 100644
--- a/config/locales/views/pages/en.yml
+++ b/config/locales/views/pages/en.yml
@@ -3,6 +3,14 @@ en:
   pages:
     changelog:
       title: What's new
+    privacy:
+      title: Privacy Policy
+      heading: Privacy Policy
+      placeholder: Privacy policy content will be displayed here.
+    terms:
+      title: Terms of Service
+      heading: Terms of Service
+      placeholder: Terms of service content will be displayed here.
     dashboard:
       welcome: "Welcome back, %{name}"
       subtitle: "Here's what's happening with your finances"
diff --git a/config/routes.rb b/config/routes.rb
index ffd81b372..69e1f4fc1 100644
--- a/config/routes.rb
+++ b/config/routes.rb
@@ -450,8 +450,10 @@ Rails.application.routes.draw do
 
   get "imports/:import_id/upload/sample_csv", to: "import/uploads#sample_csv", as: :import_upload_sample_csv
 
-  get "privacy", to: redirect("about:blank")
-  get "terms", to: redirect("about:blank")
+  privacy_url = ENV["LEGAL_PRIVACY_URL"].presence
+  terms_url = ENV["LEGAL_TERMS_URL"].presence
+  get "privacy", to: privacy_url ? redirect(privacy_url) : "pages#privacy"
+  get "terms", to: terms_url ? redirect(terms_url) : "pages#terms"
 
   # Admin namespace for super admin functionality
   namespace :admin do