With Ruby on Rails 5, how can I have Pundit redirect back when not authorized to the same stored_location_for() Devise uses?

Question

I have followed the Devise wiki on how to set up a store_user_location! method to redirect back to the previous page after sign_in/sign_out and would like to use this same method for redirecting with Pundit after a user_not_authorized is triggered but I'm not sure what to supply for the "resource_or_scope". Usually this is something Devise supplies in it's callbacks (after_sign_in_path_for(resource_or_scope)). Is it possible to use this same method with Pundit and what do I supply as the resource_or_scope?

def user_not_authorized
  flash[:error] = "You are not authorized to perform this action."
  stored_location_for(what_goes_here?)
end

fongfan999 · Answer 1 · 2020-06-02T04:18:27.363

3

Try to the following below, I usually approach that like this:

# app/controllers/application_controller.rb
class ApplicationController < ActionController::Base
  # ...
  rescue_from Pundit::NotAuthorizedError, with: :user_not_authorized

  private

  # Redirects the browser to the page that issued the request (the referrer) if possible,
  # otherwise redirects to the root location.
  def user_not_authorized
    redirect_back(fallback_location: root_path)
  end
end

Hope it helps!

edited Jun 02 '20 at 04:18

answered Apr 07 '18 at 07:34

fongfan999

2,565
1
12
21

1

redirect_back fallback: root_path OR redirect_back fallback_location: root_path ? – american-ninja-warrior May 31 '20 at 17:50
1

It should have been `fallback_location`, tks for pointing out! – fongfan999 Jun 02 '20 at 04:18

score 0 · Accepted Answer · answered Apr 07 '18 at 23:49

I found what I was looking for and the answer to "what_goes_here" is ":user", which I got to from the linked wiki's function:

def store_user_location
  # :user is the scope we are authenticating
  store_location_for(:user, request.fullpath)
end

Unfortunately, this does not work like I was hoping as my before_action :store_user_location!, if: :storable_location? stores the location attempting to be accessed before it is authorized and if the user ends up being not authorized it just redirects back to the same URL they are not authorized for and an infinite redirect loop ensues.

I also tried the redirect_back fallback: root_path option and for whatever reason, it just always takes me back to the root_path, which I do not like from a usability standpoint.

I'm now looking into other options but it looks like it's going to end up just displaying a 401/404 error page when not authorized and the user can just use their browser's back button.

With Ruby on Rails 5, how can I have Pundit redirect back when not authorized to the same stored_location_for() Devise uses?

2 Answers2