Don't assume users can access /codes/issue
sethvargo opened this issue · comments
Previously, all users could issue codes, so it was safe to redirect users to /codes/issue
post-login or post-auth-refresh. However, now it's possible to have users that don't have such permissions. Post-login, they are immediately shown an Authorized page.
Design proposal
Create a new route in login like GET /login/post-authenticate
. All post-login actions (from server-side and client-side) always redirect to this route. The logic handler for this route inspects the rbac permissions and decides the "best" place to redirect the authenticated user.
I don't think it's feasible to do this with a helper because most of the authentication is actually client-side javascript.
/cc @whaught
/assign