0

So this looked very simple to me but apparently I'm unable to solve this. In my Rails application, I need to do user authorization.
So, currently in my application if user is unauthorized to view the resource I am redirecting user to his home page with a msg: You are not allowed. This approach returns HTTP 302. I want to return 403 from my controller and later in Browser Javascript I want to handle if http status code is 403 then redirect to home page.

I found this answer but it is also doing same redirection.

Current logic:

  def authorize
    unless user_has_access?
      redirect_to home_page, :notice => 'if dont have access to that resource'
    end
  end

but this return HTTP 302 for the request, ideally which should have been 403.

I want something like this:

Controller

  def authorize
    unless user_has_access?
      flash[:notice] = 'not allowed'
      return {status: 403, msg: 'nunauthorized', redirect_url: home_page}
    end
  end

and in handle it some how in JS:

if status == 403
    window.location(redirect_url)
end
  1. Is this possible in rails ?
  2. Is there any gem for this ?
  3. Will flash[:notice] still be available in redirected url.
vaibhavatul47
  • 2,766
  • 4
  • 29
  • 42
  • You should treat your `authorize` action as an independent resource to your `home_page` action. That is, both of them can return 403 and 302, and other HTTP codes independently. By HTTP standards, strictly-speaking, in your `authorize` action, you should not redirect if you meant to respond with an "Unauthorized Access" message, so you just simply return 403, and let the client-side handle this error (i.e. you can write a JS script that redirects to home page if 403 unauthorized is received). However, practically-speaking in your `authorize` action just simply redirect with a... – Jay-Ar Polidario Aug 31 '17 at 09:44
  • ...302 status, and don't worry about returning 403. But show the "Unauthorized Message" on the screen (i.e. using your flash[:alert]). Reason simply is just because for "User Experience", just like how you want the users to be redirected to the home_page. – Jay-Ar Polidario Aug 31 '17 at 09:47

3 Answers3

0

It is not possible to redirect to some page and putting status 403

rony36
  • 3,277
  • 1
  • 30
  • 42
0

I accomplished what I wanted. Here's how:

In my UsersController

def authorize
    deny_access if user.not_allowed?
end

def deny_access
    flash[:danger] = "You don't have access"
    render :'users/unauthorized', status: :forbidden
end

Then, I created a new file: app/views/users/unauthorized.html.erb with following contents:

<script type="text/javascript">
  window.location.replace("<%= users_path %>");
</script>

Done!

  1. This returns 403 on unauthorized access.
  2. Redirects user to proper page.
  3. flash[:danger] message is availabe in redirected page :)
vaibhavatul47
  • 2,766
  • 4
  • 29
  • 42
0

Rails allow adding redirect_to root_path, status: :forbidden but when you redirect by adding 403 status code. It will send a response like this enter image description here On clicking the redirected you will continue to your path.

To avoid this issue you can render a view or redirect using JS. @Atul vaibhav provided a simple solution.

Isac Moura
  • 5,940
  • 3
  • 13
  • 27
Muhammad Umair Raza
  • 342
  • 3
  • 10