4

I have the following action for my proposals controller:

      def show
        @proposal = Proposal.find(params[:id])
        authorize @proposal
      end

I have the following policy:

class ProposalPolicy
  attr_reader :current_user, :proposal

How can I redirect to a specific page. Say index proposals or root page if the permission is denied when trying to go to the show page?

When I navigate to it without the right permission I just get a rails error page with the following:

not allowed to show? this<proposal OBJ ispsum lorem>

I just want them to have a simple notification and redirected to another page. What is best way to do this? I am guessing with some sort of if statement in the show view but nothing has worked so far.

  def initialize(current_user, proposal)
    @current_user = current_user
    @proposal = proposal
  end

  def show?
    @proposal.published? or @proposal.proposer == @current_user
  end
end
james
  • 519
  • 3
  • 10
  • 19

1 Answers1

12

Pundit has a mechanism for this. You'll create a private method in your controller called user_not_authorized - in it you'll be able to create a flash notification and add a location.

class ApplicationController < ActionController::Base
  protect_from_forgery
  include Pundit

  rescue_from Pundit::NotAuthorizedError, with: :user_not_authorized

  private

  def user_not_authorized
    flash[:alert] = "You are not authorized to perform this action."
    redirect_to(request.referrer || root_path)
  end
end

More information here: https://github.com/elabs/pundit#rescuing-a-denied-authorization-in-rails

Jason Swett
  • 43,526
  • 67
  • 220
  • 351
trh
  • 7,186
  • 2
  • 29
  • 41
  • Am I able to give custom messages depending on which action they are not authorized for? – james Sep 01 '15 at 04:33
  • Indeed. Just add the policy and action to your locale file in config - you can see an example in pundit's documentation: https://github.com/elabs/pundit#creating-custom-error-messages – trh Sep 01 '15 at 05:39