Closed joemasilotti closed 2 years ago
Hi - thanks for the question.
I'm not sure I understand your use-case: why would you redirect the user to an external site (like google.com) when authorization fails? This will mean that they never see the flash message.
The expected use case is that you redirect the user back to the page from which they tried to log in, and show the flash message there. If the documentation is unclear, maybe we can make it clearer?
redirect_to request.referer
is just a wrapper around redirect_to request.referer
, so you'd still have to pass allow_other_host: true
In conclusion: yes we should probably be suggesting redirect_back(fallback_location: root_path)
in the README, but if you want to redirect to an external site, you'll need to explicitly allow that.
I'm not sure I understand your use-case: why would you redirect the user to an external site (like google.com) when authorization fails? This will mean that they never see the flash message.
Ha, agreed! I 100% do not want to redirect them back to an external site. Which is why I was thinking that the redirect_back(fallback_location: root_path)
is a better solution. Happy to open a PR if that's what you'd like in the README!
@joemasilotti still not sure we're on the same page:
These two are entirely identical in terms of what they do, right?
redirect_to(request.referrer || root_path)
redirect_back(fallback_location: root_path)
If you look at the source code, it's just syntactic sugar: the implementation of the second line is basically the first line?
I do think the second line is clearer and what we should say in the README - I just want to be clear between us that it's exactly the same behaviour.
Ah, got it. I thought redirect_back
did something fancy.
So, even though this issue isn't related to pundit, do you have any advice on how to not redirect if the referrer is external?
@joemasilotti I'm not sure I understand the question - isn't the ActionController::Redirecting::UnsafeRedirectError
(which you described in your original post) the mechanism which prevents you from redirecting to external referrers?
It is! But it raises an exception. I'd rather not raise the error and redirect to root_path
in that case.
Or is the recommended approach to rescue ActionController::Redirecting::UnsafeRedirectError
?
It is! But it raises an exception. I'd rather not raise the error and redirect to
root_path
in that case.Or is the recommended approach to
rescue ActionController::Redirecting::UnsafeRedirectError
?
It looks like it from the commit in rails, and I think that's the approach I'd take too.
Ah, perfect! Thanks so much for the help with this.
In the README and docs the following method is recommended to recover from unauthorized access.
I just upgraded to Rails 7 and this tried to redirect the user to
google.com
. I only know because I received an error that I should be usingallow_other_host: true
to the redirection!So, my question is if
request.referrer
is the best approach here. Should instead it be recommended to `redirect_back(fallback_location: root_path)? Or something else? Or maybe I'm missing something entirely!