authorization in Web Services

[danicuki]

Do you think is a good idea to return status code 403 when something is not authorized? I think this should be specially important when using cancan for Web Services authorization. And in that case, what kind of response should be rendered to the Web Service (for example, on a .xml request)?

[ryanb]

You can handle this in the rescue_from method in the application. Perhaps like this.

rescue_from CanCan::AccessDenied do |exception|
  respond_to do |format|
    format.html { redirect_to root_url }
    format.xml { render :xml => "...", :status => 403 }
  end
end

I'll look into this more and add some documentation to the wiki. Thanks for reporting this.

[danicuki]

I did it in another way. I've overrided the unauthorized! method in ApplicationController

def unauthorized!
    render :template => 'layouts/unauthorized', :status => :forbidden
end

[ryanb]

Here is a link to the wiki page for this topic.