diff options
| author | Derek Prior <derekprior@gmail.com> | 2015-12-15 20:17:32 -0500 |
|---|---|---|
| committer | Derek Prior <derekprior@gmail.com> | 2015-12-16 11:42:05 -0500 |
| commit | 13fd5586cef628a71e0e2900820010742a911099 (patch) | |
| tree | b6a82887247a24b6877e63156cf002df5028c856 /guides | |
| parent | d95351236071215a931c626ec2fe7059270f606c (diff) | |
| download | rails-13fd5586cef628a71e0e2900820010742a911099.tar.gz rails-13fd5586cef628a71e0e2900820010742a911099.tar.bz2 rails-13fd5586cef628a71e0e2900820010742a911099.zip | |
Add `redirect_back` for safer referrer redirects
`redirect_to :back` is a somewhat common pattern in Rails apps, but it
is not completely safe. There are a number of circumstances where HTTP
referrer information is not available on the request. This happens often
with bot traffic and occasionally to user traffic depending on browser
security settings.
When there is no referrer available on the request, `redirect_to :back`
will raise `ActionController::RedirectBackError`, usually resulting in
an application error.
`redirect_back` takes a required `fallback_location` keyword argument
that specifies the redirect when the referrer information is not
available. This prevents 500 errors caused by
`ActionController::RedirectBackError`.
Diffstat (limited to 'guides')
| -rw-r--r-- | guides/source/action_controller_overview.md | 2 | ||||
| -rw-r--r-- | guides/source/layouts_and_rendering.md | 8 |
2 files changed, 9 insertions, 1 deletions
diff --git a/guides/source/action_controller_overview.md b/guides/source/action_controller_overview.md index 7e43ba375a..6c622a3643 100644 --- a/guides/source/action_controller_overview.md +++ b/guides/source/action_controller_overview.md @@ -1150,7 +1150,7 @@ class ApplicationController < ActionController::Base def user_not_authorized flash[:error] = "You don't have access to this section." - redirect_to :back + redirect_back(fallback_location: root_path) end end diff --git a/guides/source/layouts_and_rendering.md b/guides/source/layouts_and_rendering.md index 71cc030f6a..779ba6e5e5 100644 --- a/guides/source/layouts_and_rendering.md +++ b/guides/source/layouts_and_rendering.md @@ -628,6 +628,14 @@ You can use `redirect_to` with any arguments that you could use with `link_to` o redirect_to :back ``` +This will raise `ActionController::RedirectBackError` if the request had no +`HTTP_REFERER` information set. To guard against this case, you can provide a +fall back redirect URL by using `redirect_back`: + +```ruby +redirect_back(fallback_location: root_path) +``` + #### Getting a Different Redirect Status Code Rails uses HTTP status code 302, a temporary redirect, when you call `redirect_to`. If you'd like to use a different status code, perhaps 301, a permanent redirect, you can use the `:status` option: |