With a standard install of Rails_Admin using Devise for authentication and CanCan for authorization, accessing http://localhost:3000/admin as a non-admin user produces the following server log:
Started GET "/admin" for 127.0.0.1 at 2011-08-09 22:46:10 -0400
Processing by RailsAdmin::MainController#index as HTML
User Load (0.2ms) SELECT "users".* FROM "users" WHERE "users"."id" = 1 LIMIT 1
Completed 404 Not Found in 151ms
ActionController::RoutingError (No route matches {:controller=>"gyms"}):
app/controllers/application_controller.rb:5:in `block in <class:ApplicationController>'
Everything up until the last part seems ok. As far as I can tell, CanCan rescues the exception properly and attempts to redirect to root_url via the following code:
class ApplicationController < ActionController::Base
protect_from_forgery
rescue_from CanCan::AccessDenied do |exception|
redirect_to root_url, :alert => exception.message
end
end
TopOut::Application.routes.draw do
mount RailsAdmin::Engine => '/admin', :as => 'rails_admin'
devise_for :users
resources :gyms
root :to => "gyms#index"
end
But for some reason, in redirecting to root_url, CanCan is only attempting to hit
{:controller=>"gyms"}
rather than
{:controller=>"gyms", :action=>"index"}
Is this possibly an issue with CanCan? Or is there some particular facet of redirect_to or root_url which I missed in the docs?
Note: this is a duplicate of an issue I opened on CanCan's github page, so I'll be sure to close one if the other is solved.
Based on feedback from users at Github, it appears that routes are being name_scoped and so this is expected behavior.
Proper fix is to call root_url from main_app as follows:
rescue_from CanCan::AccessDenied do |exception|
redirect_to main_app.root_url, :alert => exception.message
end
Credit for the solution goes to bbenezech at https://github.com/sferik/rails_admin/issues/658