Rails Raise 403 Error
here for a quick overview of the site Help Center Detailed answers to any questions you might have Meta Discuss the workings and policies of this site About Us Learn more about Stack Overflow the company Business Learn more about hiring developers or posting ads with us Stack Overflow Questions Jobs Documentation Tags Users Badges Ask Question x Dismiss Join the Stack Overflow Community Stack Overflow is a community of 6.2 million programmers, just like you, helping each other. Join them; it only takes a minute: Sign up How to return correct HTTP error codes from Ruby on Rails application up vote 22 down vote favorite 4 I have RoR 3.0 web application which is acting as an OAuth API provider. Now, in API I'd like to return correct HTTP error codes to the API consumer. How do I do this? Here is example: def destroy_oauth @item = Item.find(params[:id]) if(!@item.nil? && @item.user_id == current_user.id) @item.destroy respond_to do |format| format.js format.xml end else raise ActionController::RoutingError.new('Forbidden') end end So, in case of error I'm trying to return Forbidden 403 code. Still, when running this I'm getting always 404 Not Found returned. How do I return the correct code? Or is this somehow webserver configurable thing? ruby-on-rails ruby http share|improve this question asked Feb 3 '12 at 14:29 Alexander Savin 2,72021334 add a comment| 5 Answers 5 active oldest votes up vote 25 down vote accepted You should render page with correct status. render(:file => File.join(Rails.root, 'public/403.html'), :status => 403, :layout => false) share|improve this answer answered Feb 3 '12 at 14:33 Sandip Ransing 4,04212238 Should I do this also for OAuth API xml responses? –Alexander Savin Feb 3 '12 at 14:59 2 As a side-note here, specifying the .html extension like this is deprecated (see discussion at github.com/rails/rails/issues/7288), so we should use render(:file => File.join(Rails.root, 'public/403'), :formats => [:html], :status => 403, :layout => false) (note the way I've specified the format). –Ollie Bennett Oct 1 '14 at 9:02 add a comment| up vote 30 down vote When you're just giving a status code and there is no body, a convenient way is head 403 This method also accepts the symbolic names for status codes, such as head :forbidden share|improve this answer answered Feb 3 '12 at 15:02 Frederick Cheung 62.8k580110 Oh, that could be what I need. Will try. –Alexander Savin Feb 3 '12 at 1
a 403 error? Satsou Sa (mosh) on 2010-06-12 00:59 Hello all, I am working on Rails 3, and I would like to return a forbidden error message from a controller. I had trying something like that: def my_action respond_to do |format| format.html { redirect_to(login_path, :warning => I18n.t('.forbidden'), :status => :forbidden) } format.xml { render :xml => I18n.t('.forbidden'), :status => :forbidden } end end But it is not want I need, because I don't want to http://stackoverflow.com/questions/9130191/how-to-return-correct-http-error-codes-from-ruby-on-rails-application redirect to a particular page, such as login. I just want to return a standard 403 error (with raise maybe). Is that possible? Thank you for your help. Report post Edit Move Delete topic Reply with quote Re: How to raise a 403 error? Mickael Gerard (Guest) on 2010-06-12 10:38 Hello, I did not check if it was https://www.ruby-forum.com/topic/211416 still there in Rails 3, but in rails 2, ActionController::Base#render accepts a :nothing options used to render empty text : usage : render :nothing => true, :status => whatever And you have a short cut method for "only headers" response ActionController::Base#head usage : format.xml { head :forbidden } Mickael Report post Edit Delete Reply with quote Re: How to raise a 403 error? Satsou Sa (mosh) on 2010-06-12 10:45 Mickael Gerard wrote: > > render :nothing => true, :status => whatever > > And you have a short cut method for "only headers" > response ActionController::Base#head > usage : > > format.xml { head :forbidden } > > Mickael You solved my question. Many thanks. Report post Edit Delete Reply with quote Forum List Topic List New Topic Search Register User List Log In Enable email notification | Enable multi-page view Please log in before posting. Registration is free and takes only a minute. Existing account User name or e-mail address Password Always use SSL (experimental!) NEW: Do you have a Google/GoogleMail, Yah
feature in Clearance. We discovered that setting the 403 status code turned out to be a bad user experience in some browsers such as Chrome on Windows machines. Philosophically, we decided https://robots.thoughtbot.com/forbidden-kisses-http-fluency-in-clearance we value user experience over technical purity. Clearance tries to be fluent in HTTP. That means a few things: Know when to return which HTTP status codes. Know when to raise errors. 401 Unauthorized In layman’s terms: Specifically for use when authentication is possible but has failed or not yet been provided. The response is 401 Unauthorized out of the box with Clearance when: A user tries to sign rails raise in with bad credentials. A user without confirmed email tries to sign in. If you protect an action with before_filter :authenticate in your app, Clearance will also return 401 Unauthorized when: A user who is not signed in tries to access that action. 403 Forbidden In layman’s terms: The request was a legal request, but the server is refusing to respond to it. Unlike a 401 Unauthorized response, authenticating will rails raise 403 make no difference. The response is 403 Forbidden out of the box with Clearance when: A user tries to confirm a user with confirmed email. A user tries to confirm a user without a token. A user tries to confirm a user without the correct token for an unconfirmed user. A user tries to edit a user’s password without a token. A user tries to update a user’s password without a token. A user tries to edit a user’s password without the correct token for the user. A user tries to update a user’s password without the correct token for the user. These are legal requests by someone or something (maybe a malicious user) requesting actions in forbidden, exceptional ways. They are not available to any user, regardless of their authentication status. The server should refuse to respond to it. When to raise errors Consider a typical edit, show, or destroy action: def show @user = User.find(params[:id]) end In the development and test environments, this will raise a ActiveRecord::RecordNotFound error if a User does not exist for the given id. In production, this will return 404 Not Found instead of 500 Internal Server Error. Rails does this by rescuing the ActiveRecord::RecordNotFound error for public requests (for example, staging