-
-
Notifications
You must be signed in to change notification settings - Fork 1.1k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Authorization errors should not return 500 #2372
Comments
One way to handle authorization errors in Rails is to use the it's what example to work with cancancan and devise module Admin
class ApplicationController < Administrate::ApplicationController
before_action :authenticate_user!
before_action :set_paper_trail_whodunnit
def authorized_action?(_resource, _action_name)
can? _action_name.to_sym, _resource
end
rescue_from Administrate::NotAuthorizedError do |_exception|
redirect_to root_url, alert: 'Not Authorized Error'
end
# Override this value to specify the number of elements to display at a time
# on index pages. Defaults to 20.
# def records_per_page
# params[:per_page] || 20
# end
end
end |
Yeah, we may need something like that. Ideally I was thinking we could have it in rescue_from Administrate::NotAuthorizedError, Pundit::NotAuthorizedError do |_exception|
show_authorization_error # or something like that
end Then that doesn't cover other exceptions that users might be raising (eg:
|
At the moment, when
Pundit::NotAuthorizedError
orAdministrate::NotAuthorizedError
is raised within Administrate, the app returns an HTTP 500 status.To reproduce:
Expected result: an appropriate HTTP 4xx status, probably 403, perhaps with an error message to match.
Actual result: HTTP 500 status and "We're sorry, but something went wrong" message.
Seems like these exceptions should be rescued by
Admin::ApplicationController
. More questions:CanCan::Error
). Should we provide a way to tell Administrate what these exceptions might be, so that they are rescued the same way?The text was updated successfully, but these errors were encountered: