You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Expected result: an appropriate HTTP 4xx status, probably 403, perhaps with an error message to match.
Actual result: HTTP 500 status and "We're sorry, but something went wrong" message.
Seems like these exceptions should be rescued by Admin::ApplicationController. More questions:
Should we also show an error message? What should it look like? Rails doesn't provide (that I know) error pages for errors other than 404, 422 and 500, so we would have to provide something ourselves.
If a user integrates their own authorization mechanism, the raised exceptions will be different (eg: they integrate with cancancan and raise CanCan::Error). Should we provide a way to tell Administrate what these exceptions might be, so that they are rescued the same way?
The text was updated successfully, but these errors were encountered:
One way to handle authorization errors in Rails is to use the rescue_from method within the admin/ApplicationController. This method allows developers to catch exceptions and define custom actions for them. For example, if a user tries to access a resource that they are not authorized to view, the rescue_from method can redirect them to a different page or show an error message. Developers can also adapt their own authorization package or gem to work with the rescue_from method.
it's what example to work with cancancan and devise
moduleAdminclassApplicationController < Administrate::ApplicationControllerbefore_action:authenticate_user!before_action:set_paper_trail_whodunnitdefauthorized_action?(_resource,_action_name)can?_action_name.to_sym,_resourceendrescue_fromAdministrate::NotAuthorizedErrordo |_exception|
redirect_toroot_url,alert: 'Not Authorized Error'end# Override this value to specify the number of elements to display at a time# on index pages. Defaults to 20.# def records_per_page# params[:per_page] || 20# endendend
Yeah, we may need something like that. Ideally I was thinking we could have it in Administrate::ApplicationController, so that users don't have to set it up. However if we just say the following:
rescue_fromAdministrate::NotAuthorizedError,Pundit::NotAuthorizedErrordo |_exception|
show_authorization_error# or something like thatend
Then that doesn't cover other exceptions that users might be raising (eg: CanCan::Error). Options:
We add to the documentation so that they set their own rescue_from.
Offer some sort of configuration where they can list the errors they may raise, and this is used in the common rescue_from above.
At the moment, when
Pundit::NotAuthorizedError
orAdministrate::NotAuthorizedError
is raised within Administrate, the app returns an HTTP 500 status.To reproduce:
Expected result: an appropriate HTTP 4xx status, probably 403, perhaps with an error message to match.
Actual result: HTTP 500 status and "We're sorry, but something went wrong" message.
Seems like these exceptions should be rescued by
Admin::ApplicationController
. More questions:CanCan::Error
). Should we provide a way to tell Administrate what these exceptions might be, so that they are rescued the same way?The text was updated successfully, but these errors were encountered: