Handling a Violated Authorization Policy

Last edit: Jun 05, 2019

This guide will help you handle a violated Authorization Policy.

When an Authorization Policy is violated, the server by default will return the head 403 Forbidden status code. Alternatively, you can customize the 403 error page, render a 404 Not Found page or redirect the user to a different page. On top of that, you can specify a flash alert message to display.

Requirements

So that you can follow the steps in this tutorial, you should understand the concept of Authorization Policy. This guide refers to an Authorization Policy created in a previous tutorial (only_allowed_by_johns).

Steps

Handling a violated Authorization Policy is a two-step process:

Step 1: Define redirect or 403 / 404 page display

Define whether you want to redirect the user to another page or display one of the 403 or 404 pages. To redirect the user to a page after violation set the redirect_to key. For example, to redirect to page /login:


---
name: only_allowed_by_johns
redirect_to: /login
---
...

If instead, you would like to render a customized 404 page , set http_status to 404:


---
name: only_allowed_by_johns
http_status: 404
redirect_to: ''
---
...

The default behavior is equivalent to setting http_status to 403.

Step 2: Display alert message

To generate a flash alert message, use the flash_alert property:

---
name: only_allowed_by_johns
redirect_to: /login
flash_alert: Please log in to access this page.
---
...

As with all flash messages, you can access it in Liquid using the {} variable.

Questions?

We are always happy to help with any questions you may have.