Support authorization error flash messages when using turbo frames and streams?

[nickjj]

In a perfect world I would like to do something like this:

  def user_not_authorized
    respond_to do |format|
      format.html do
        flash[:alert] = "You are not authorized to perform this action."
        redirect_back(fallback_location: root_path)
      end
      format.turbo_stream do
        flash.now[:alert] = "You are not authorized to perform this action."
        turbo_stream.prepend "flash", partial: "shared/flash"
      end
    end
  end

And then if someone tried to perform an action they can't do, they would get a flash message on their current page / frame without a redirect.

With the above code using Pundit v2.2.0, on authorization failure no alert message gets shown and no redirect happens. The request gets executed as the html format which I verified by printing a message to the terminal in that block.

As is Pundit doesn’t send the request as a turbo_stream so that format never gets a chance to execute. Is there a current workaround or official plans to support Hotwire Turbo Frames and Steams given it's a Rails 7 default?

Thanks!

[wafcio]

I think, it isn't connected with Pundit because of no view layer in this gem and the whole view part is on the application side.

[nickjj]

@wafcio there's documentation in https://github.com/varvet/pundit#rescuing-a-denied-authorization-in-rails referencing code that doesn't work in Rails when using Turbo. It could be useful to have an up to date example.

[wafcio]

@nickjj so it is only about adapting example code. It doesn't require any changes in gem.

[rmaspero]

Looks like in part the issue is that the format isn't set by the time the rescue from is called as per this SO.

[laptopmutia]

I think this issue is better of as an discussion or stackoverflow question its about how to not should do

pundit is just plain old ruby

currently turbo doesn't support rendering notice on redirect hotwired/turbo#897

the best think you could do is implement 403 and do a full page reload
https://turbo.hotwired.dev/handbook/drive#ensuring-specific-pages-trigger-a-full-reload
this is the same problem as session timeout I think

and also the example in readme is taken from this I think

https://guides.rubyonrails.org/action_controller_overview.html#rescue-from

as for me I think currently my plan is just do full page render from public folder liek when rails handle 404 or 500

[Burgestrand]

I feel this is outside the scope of what Pundit wants to tell you to do. Moving this to a discussion instead.

[nickjj]

Should a PR be created to remove the instructions in the README file since they don't work out of the box?